Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Static buffer overflow in RT-Thread rt-link utility #8289

Open
0xdea opened this issue Nov 24, 2023 · 2 comments
Open

Static buffer overflow in RT-Thread rt-link utility #8289

0xdea opened this issue Nov 24, 2023 · 2 comments

Comments

@0xdea
Copy link

0xdea commented Nov 24, 2023

Hi,

I would like to report another potential vulnerability in the current version of RT-Thread. Please let me know if you plan to ask for a CVE ID in case the vulnerability is confirmed. I'm available if you need further clarifications.

Potential static buffer overflow in RT-Thread rt-link utility

Summary

I spotted a potential static buffer overflow vulnerability at the following location in the RT-Thread rt-link utility source code:
https://github.com/RT-Thread/rt-thread/blob/master/components/utilities/rt-link/src/rtlink.c#L239

Details

Lack of length check in the frame_send() function could lead to a static buffer overflow at the marked line:

static rt_ssize_t frame_send(struct rt_link_frame *frame)
{
    rt_size_t length = 0;
    rt_uint8_t *data = RT_NULL;

    rt_memset(rt_link_scb->sendbuffer, 0, sizeof(rt_link_scb->sendbuffer));
    data = rt_link_scb->sendbuffer;
    length = RT_LINK_HEAD_LENGTH;
    if (frame->head.crc)
    {
        length += RT_LINK_CRC_LENGTH;
    }
    if (frame->head.extend)
    {
        length += RT_LINK_EXTEND_LENGTH;
    }

    length += frame->data_len;
    frame->head.length = frame->data_len;
    rt_memcpy(data, &frame->head, RT_LINK_HEAD_LENGTH);
    data = data + RT_LINK_HEAD_LENGTH;
    if (frame->head.extend)
    {
        rt_memcpy(data, &frame->extend, RT_LINK_EXTEND_LENGTH);
        data = data + RT_LINK_EXTEND_LENGTH;
    }
    if (frame->attribute == RT_LINK_SHORT_DATA_FRAME || frame->attribute == RT_LINK_LONG_DATA_FRAME)
    {
        rt_memcpy(data, frame->real_data, frame->data_len); /* VULN: static buffer overflow, if frame->data_len > 1024 - 4 (it's a rt_uint16_t so at least in theory can be up to 65535) */
        data = data + frame->data_len;
    }
    if (frame->head.crc)
    {
        frame->crc = rt_link_scb->calculate_crc(RT_FALSE, rt_link_scb->sendbuffer, length - RT_LINK_CRC_LENGTH);
        rt_memcpy(data, &frame->crc, RT_LINK_CRC_LENGTH);
    }

    LOG_D("frame send seq(%d) len(%d) attr:(%d), crc:(0x%08x).", frame->head.sequence, length, frame->attribute, frame->crc);
    return rt_link_hw_send(rt_link_scb->sendbuffer, length);
}

Impact

If the unchecked input above is confirmed to be attacker-controlled and crossing a security boundary, the impact of the reported buffer overflow vulnerability could range from denial of service to arbitrary code execution.
@0xdea
Copy link
Author

0xdea commented Dec 24, 2023

Hi, it's been one month since I reported this vulnerability, and I wanted to ask if you have any update. As standard practice, I plan to request a CVE ID for every confirmed vulnerability. I also intend to publish an advisory by February at the latest, unless there's a specific reason to postpone. Thanks!

@0xdea 0xdea changed the title Potential static buffer overflow in RT-Thread rt-link utility Static buffer overflow in RT-Thread rt-link utility Feb 2, 2024
@0xdea
Copy link
Author

0xdea commented Feb 8, 2024

Hi there, CVE-2024-25395 was assigned to this vulnerability. I'm planning to publish my security advisory and writeup on March 5th. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@0xdea