orbisai0security opened a new pull request, #19407: URL: https://github.com/apache/nuttx/pull/19407
## Summary Fix critical severity security issue in `net/rpmsg/rpmsg_sockif.c`. ## Vulnerability | Field | Value | |-------|-------| | **ID** | V-002 | | **Severity** | CRITICAL | | **Scanner** | multi_agent_ai | | **Rule** | `V-002` | | **File** | `net/rpmsg/rpmsg_sockif.c:376` | | **Assessment** | Likely exploitable | | **Chain Complexity** | 2-step | **Description**: The RPMSG socket interface and IPv6 neighbor discovery code perform memcpy() operations where the copy length (conn->recvlen) is derived from network-supplied data without verifying that the destination buffer (conn->recvdata) has sufficient capacity to hold the specified number of bytes. An attacker who can send crafted RPMSG or network packets with a manipulated length field can cause the memcpy() to write beyond the allocated buffer boundary, corrupting adjacent heap or stack memory. ## Evidence **Scanner confirmation**: multi_agent_ai rule `V-002` flagged this pattern. **Production code**: This file is in the production codebase, not test-only code. ## Threat Model Context This is a local CLI tool - exploitation requires the attacker to control command-line arguments or input files. ## Changes - `net/rpmsg/rpmsg_sockif.c` > **Note**: The following lines in the same file use a similar pattern and may also need review: `net/rpmsg/rpmsg_sockif.c:388`, `net/rpmsg/rpmsg_sockif.c:641`, `net/rpmsg/rpmsg_sockif.c:659`, `net/rpmsg/rpmsg_sockif.c:1066`, `net/rpmsg/rpmsg_sockif.c:1160` (and 3 more) ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
