[PR] {bp-18998} arch/arm/nrf91: Fix OOB read/write in nrf91_usrsock_ioctl_handler [nuttx]

Wed, 10 Jun 2026 00:36:54 -0700 


jerpelea opened a new pull request, #19077:
URL: https://github.com/apache/nuttx/pull/19077

   nrf91_usrsock_ioctl_handler() copies req->arglen bytes from the request 
payload into the fixed-size usrsock->out buffer without validating that the 
payload actually fits either the received request or the destination buffer.  A 
crafted ioctl request with an inflated arglen triggers:
   
     1. OOB read — memcpy reads past the end of the received request.
     2. OOB write — memcpy writes past the end of usrsock->out.
   
   Add three checks before the copy:
   
     - len >= sizeof(*req): ensure the full request header is present.
     - copylen <= len - sizeof(*req): payload must fit the received data.
     - copylen <= sizeof(usrsock->out) - sizeof(*ack): payload must fit the 
destination buffer.
   
   The recvfrom handler in the same file already performs the equivalent 
buffer-size check (line 892).  Fixes #18515.
   
   *Note: Please adhere to [Contributing 
Guidelines](https://github.com/apache/nuttx/blob/master/CONTRIBUTING.md).*
   
   ## Summary
   
   *Update this section with information on why change is necessary,
    what it exactly does and how, if new feature shows up, provide
    references (dependencies, similar problems and solutions), etc.*
   
   ## Impact
   
   *Update this section, where applicable, on how change affects users,
    build process, hardware, documentation, security, compatibility, etc.*
   
   ## Testing
   
   *This section should provide a detailed description of what you did
   to verify your changes work and do not break existing code.*
   
   *Please provide information about your host machine, the board(s) you
   tested your changes on, and how you tested. Logs should be included.*
   
   *For example, when changing something in the core OS functions, you
   may want to run the OSTest application to verify that there are no
   regressions. Changes to ADC code may warrant running the `adc`
   example. Adding a new uORB driver may require that you run
   `uorb_listener` to verify correct operation.*
   
   *Pure documentation changes can just be tested with `make html`
   (see docs) and verification of the correct format in your
   browser.*
   
   **_PRs without testing information will not be accepted. We will
   request test logs._**
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to