catalinv-ncc opened a new pull request, #19070: URL: https://github.com/apache/nuttx/pull/19070
drivers/contactless: Stack Overflow in PN532 Contactless Driver When calling Set RF Configuration command, a compromised user process can trigger memory corruption in the kernel. This can lead to a system crash or potentially arbitrary code execution in the kernel. Changes: 1. One cosmetic, to avoid confusion: From: `uint8_t cmd_buffer[15 + 7];` To: `uint8_t cmd_buffer[6 + 16];` The array is packed so it is exactly 6 bytes, also flex array in C99 (data is not part of the sizeof struct). 2. The whole thing need to be 6+16 bytes max, but the first byte of data are populated by: `pn532_frame_init()` then the second byte is set by: `f->data[1] = conf->cfg_item;` which means the memset() starting at index 2 only has 14 bytes left. So there is a 2 byte overflow. It should only allow up to 14 bytes to be copied. *Note: Please adhere to [Contributing Guidelines](https://github.com/apache/nuttx/blob/master/CONTRIBUTING.md).* ## Summary *Update this section with information on why change is necessary, what it exactly does and how, if new feature shows up, provide references (dependencies, similar problems and solutions), etc.* ## Impact *Update this section, where applicable, on how change affects users, build process, hardware, documentation, security, compatibility, etc.* ## Testing *This section should provide a detailed description of what you did to verify your changes work and do not break existing code.* *Please provide information about your host machine, the board(s) you tested your changes on, and how you tested. Logs should be included.* *For example, when changing something in the core OS functions, you may want to run the OSTest application to verify that there are no regressions. Changes to ADC code may warrant running the `adc` example. Adding a new uORB driver may require that you run `uorb_listener` to verify correct operation.* *Pure documentation changes can just be tested with `make html` (see docs) and verification of the correct format in your browser.* **_PRs without testing information will not be accepted. We will request test logs._** -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
