Zepp-Hanzj opened a new pull request, #19000: URL: https://github.com/apache/nuttx/pull/19000
## Description Fix out-of-bounds read and write in `usrsock_ioctl_handler()` in `arch/sim/src/sim/sim_usrsock.c`, the same class of vulnerability already fixed in `nrf91_modem_sock.c` (PR #18998). ### Problem `usrsock_ioctl_handler()` copies `req->arglen` bytes from the request payload into the fixed-size `usrsock->out` buffer (`SIM_USRSOCK_BUFSIZE` = 400KB) without validating that the payload fits either the received request or the destination buffer. A crafted ioctl request with an inflated `arglen` triggers OOB read and OOB write. ### Solution Add three validation checks before the `memcpy`, identical to the fix applied to `nrf91_modem_sock.c`: - `len >= sizeof(*req)`: ensure the full request header is present. - `copylen <= len - sizeof(*req)`: payload must fit the received data. - `copylen <= SIM_USRSOCK_BUFSIZE - sizeof(*ack)`: payload must fit the destination buffer. ### Verification ✅ **Checkpatch**: All checks pass ✅ **Consistency**: Pattern matches the nrf91 fix (PR #18998) and the recvfrom handler buffer-size check ### References - PR #18998 (same fix for nrf91) - Issue #18515 (original vulnerability report) ### Signed-off-by hanzj <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
