Buffer overflow in .bss section due to SNMP request overflow #1352
Labels
Comments
Merged
pjonsson
added a commit
to pjonsson/contiki-ng
that referenced
this issue
Dec 7, 2023
Commits: 2b7495b85 Merge branch 'develop' 2c9d1f1dc Finalize release 5.9.0 a80777cc2 Update README to track latest release (on master branch), automatically. 8a6456224 Doxygen: added description for __CM85_REV 4745ac945 Doxygen: Added more references to STAR-MC1 7f6736246 Doxygen: fixed incorrect link a7f60caa8 README.md: Removed bold links c6eb294df README.md: Added reference to CMSIS-Build 101987b3e Doxygen: Fixed Revision History for 5.9.0 7ea933ed3 Doxygen: Added PMU documentation for CM85 and extended for CM55 c438b59ca Doxygen: Extended with Cortex-M85 references 184ccfd0e CMSIS-NN: Fix SVDF bug for ARM_MATH_DSP (contiki-ng#1473) 0a7176aa7 CMSIS-NN: Improve performance for armclang 6.18 (contiki-ng#1471) 91469ffaa Doxygen: Minor rework/typo fixes in RTOS Validation page. e8a03d12f Update change history and versions e197f7899 CMSIS-Core(M): Add Cortex-M85 support ed8b8f098 CMSIS-DSP: Corrected build issue with Neon e09ef11e3 CMSIS-DAP: Update version and revision history f1b847670 DAP: use same clock delay calculation in DAP_Setup() and DAP_SWJ_Clock(). (contiki-ng#1301) badbad39f CMSIS-DSP: Corrected typo in some compilation flags for CFFT F64 6d1d4e744 Doxygen: Updated "RTOS Validation" page with references to CMSIS-RTOS2 Validation 26238a4c2 Utilities: Bump SVDConv to 3.3.42 d9cfca31b CMSIS-DSP: Added new functions to Python wrapper 244e279d7 CMSIS-DSP: scalar atan2 q31, q15, f32 and f16 61a22cd0e Remove deprecated docs and schemas for CMSIS-Pack and CMSIS-Build 12bcacdcd Updated Cortex-M55 core header - corrected MemSysCtl_Type 1154cfa37 Change syntax of immediate values in inline assembler (contiki-ng#1463) 8eeca0353 Record new Armv8.1-M RTX5 libraries for IAR compiler 856cf46ba CMSIS-NN: Add SVDF state tensor with 8 bit precision (contiki-ng#1461) 124dfbc38 RTX5: update library fetch script to get the latest libraries 2c1f69b0a RTX5: update library projects (CMSIS pack version) f6f84dc12 RTX5: minor optimization in osRtxThreadDelayTick (contiki-ng#1405) 9a59eb097 CMSIS-DSP: Removed compilation warnings f97d532df DSP: Remove undefined behavior in post-increment/decrement read (contiki-ng#1443) 1b7e0cef1 CMSIS-Build: added documentation redirects to CMSIS-Toolbox cdd6f016c DoxyGen: Fixup gen_doc.sh ca8e60b6b CMSIS-Pack: Redirects in documentation to Open-CMSIS-Pack 128f26c2c CMSIS-Build: fixed formatting e6057306d Fixed 2 broken links cffde8d82 Documentation: CMSIS-Build: Attempt to fix a formatting issue d83fcdacb Documentation CMSIS-Build: section formatting fixed 88fb712be Documentation CMSIS-Build: links fixed c716ce6eb CMSIS-Toolbox Image source added d379917d3 Documentation: Core - formatting issue fixed, Build: finalized CMSIS-Toolbox c224b718b Documentation: CMSIS-Build replaced by CMSIS-Toolbox 1de0652ea CMSIS-NN: Fix DoxyGen warnings (contiki-ng#1459) 70ebbba0e RTX5: add _fp_init function prototype (contiki-ng#1462) 85dc04673 Update core_starmc1.h 2d17771f8 Add script to fetch PackChk/SVDConv from their release location. 00a6cfe33 CMSIS-DSP: Mean square error for q15, q31, f16, f32, f64. Reworked q7 to have a bit more accuracy. 5fc60b98a Update core_starmc1.h 03b248928 SVD: Add SMC1 (Arm China STAR-MC1) to cpuNameType. f418ea60b Bump next release version to 5.9.0 ba2deb997 CMSIS-DSP: Mean square error q7 e12ff84cd Fixing compilation issue with Visual Studio 2022 in Arm64EC (contiki-ng#1450) f8c603ec8 Fix signature of __USAT in documentation. 3f4a0c0d8 CMSIS Device: fixed typo in scatter files. 23f2e7f0b CMSIS-Driver WiFi: Update documentation (contiki-ng#1452) 5b437de37 DoxyGen: Fix white-space in CMSIS-Driver documentation (affects formatting) 53dc7aac4 CMSIS Device: Updated system_ARMCM55.c - corrected "Clear ELPSTATE". 865fef634 Rename core_star.h to core_starmc1.h 4fc5c2c2c Core(A): Fixed __RBIT implementation (issue contiki-ng#1445) 9dc018e60 CMSIS-NN: Correct bug in softmax (contiki-ng#1442) 0edf39abb CMSIS-NN: Add back missing prototype (contiki-ng#1438) 4075efea8 CMSIS-Core(M): Add missing registers to core_cm55.h 97cc02b7d CMSIS-DSP: New PythonWrapper example 18205c6c2 RTX5: Fix timer interval when periodic timer is restarted e776dfa70 Rebase - Update version number (contiki-ng#1423) b8a7fd887 CMSIS-DSP: Corrected issue in python example. 5c6bba13b CMSIS-DSP: Improved the noise suppression example in the Python wrapper. cf6752801 CMSIS-NN: Add softmax s16 support (contiki-ng#1425) 06ff5e705 CMSIS-DSP: Updated documentation of a Python example. 63b7c29b8 CMSIS-DSP: Update Python examples 743f8a3a6 CMSIS-DSP: Updated Jupyter notebook example 7106010d4 CMSIS-DSP: Added missing functions to the Python wrapper 6cdb1a09f CMSIS-DSP: Update Python wrapper README and example f7b3f092f CMSIS-DSP: Added a new Python example b0c7f1933 This fixed some GCC warnings with -WConversion enabled: (contiki-ng#1427) 9e87d990b Enhance component conditions for Dcore="Star-MC1" b173194a3 CMSIS-DSP: Removed hardcoded path in SDFTools example7. 9b5df640c CMSIS-DSP: Removed pattern file from PythonWrapper tests c8a9c18b7 CMSIS-DSP: Refactoring of the PythonWrapper and SDF a5743627a Added Jonzic 773cdffff CMSIS-NN: Add elementwise add/mul int16 and unit tests (contiki-ng#1419) addd45db2 RXT5: change order of include in rtx_lib.c (internal) 28d54ba19 RXT5: add Floating-point initialization for Arm C Library (contiki-ng#1421) 46179edb9 CMSIS-DAP: Update documentation (firmware examples) ebd65be3a CMSIS-DAP: Move v2 firmware for NXP LPC-Link2 ad0acb79f CMSIS-DAP: Remove v1 firmware for NXP LPC-Link2 80eca29f9 CMSIS-DAP: Update Firmware examples (use README.md) f2fb4f86c CMSIS-DSP: SDF Improvements 955e86721 CMSIS-NN: Update unit test readme (contiki-ng#1420) b5dff2ff5 Updates to DAP documentation e04e03a5d CMSIS-DSP: Correcting issue contiki-ng#1412 963168f61 CMSIS-NN: Refactor, remove unused function arm_nn_mat_mult_kernel_s8_s16_reordered (contiki-ng#1417) 11ff7069d Core(M): Describe scatter file templates. (contiki-ng#1376) 559d58c96 GitHub: Add check for Pack Description 9c2c03c91 GitHub: Add check for Pack Description 51d2437aa CMSIS-NN: Fix Doxygen warnings (contiki-ng#1410) 0928e574c CMSIS-NN: add kernel and unittest for int16 pooling (contiki-ng#1408) 5b58d2da8 CMSIS-NN: Add int16 support for depthwise_conv (contiki-ng#1406) 744e23939 Pack: Fixed pack version inference from git - Consider even unannotated tags in git describe. a2ea33fee CMSIS-DSP: SDF Pack Added .pack in addition ot .pdsc 4946da8d0 CMSIS-NN: Add dilation support for int16 conv (contiki-ng#1399) 1cdd0e824 CMSIS-DSP: Added some files to more easily generate a pack for SDF. 8578bbedc CMSIS-NN: Fix bug in int16 variant of fully_connected (contiki-ng#1387) 7bb14d86e tensorflow version including security patch (contiki-ng#1388) 3c79bde31 CMSIS-NN: Use single rounding (contiki-ng#1379) 6916cf55d CMSIS-NN: Update depthwise_conv_s8_generic (contiki-ng#1385) 977abe984 CMSIS-NN: Add dilation support for generic depthwise conv (contiki-ng#1384) 325443e52 Updates documentation as required by https://jira.arm.com/browse/SDCMSIS-1339 7f702ecd8 RXT5: optimize MessageQueueGet/Put (remove copying arguments) 6b8c75596 RTX5: Fix potential register R1 corruption when calling OS functions from threads multiple times with same arguments (when using high level compiler optimizations) - contiki-ng#1382 96203d74e CMSIS-DSP: Bug correction in SDF. Problems with slidding buffer. 2d81a20d4 CMSIS-NN: Add dilation support for conv (contiki-ng#1377) dc9372e8c CMSIS-DSP: Improvements to dot template in SDF d0d0ce78e CMSIS-DSP: Correction to file causing issue with git diff. fc2401a10 CMSIS-DSP: Update to graphivz generation in SDF 24f62976f CMSIS-DSP: Improved Helium CFFT Radix4 butterflies a8dbfe930 CMSIS-DSP: Improved documentation for SDF. Improved generation of graphviz. 1fab31865 DoxyGen: Fix return types for RTOS2 tick functions. 20134cea9 CMSIS-NN: Updating API documentation & adding examples directory (contiki-ng#1374) 72cdcc549 DSP: Add IAR tool chain (contiki-ng#1367) 81eacbc14 CMSIS-DSP: Updated PythonWrapper 93fc25e01 CMSIS-DSP: New min/max functions. 6368a853f CMSIS-DSP: Correcting issue contiki-ng#1358 ae50a8086 CMSIS-NN: Refactor arm_nn_mat_mul_core_4x_s8 for MVE (contiki-ng#1365) 64b94f2e9 CMSIS-DSP: Python wrapper update da01b1b98 CMSIS-DSP: Improvements to pull request contiki-ng#1363 7827e8f62 CMSIS-DSP : faster Q.15/Q.31 Helium matrix multiplications. Uses an initial transpose stage, requiring extra scratch space to hold RHS transposed matrix. b7d0b82a7 RTX: Add IAR support for v8.1 (contiki-ng#1366) 265bd14ca CMSIS-NN: Update unit test data generate script (contiki-ng#1364) 9ded67849 CMSIS-DSP: Corrected dependency issue in SDF pack. 0f29a4a34 Remove reference to Git-LFS in readme. 09029dfc3 CMSIS-DSP: Updated SDF pack. Removed unused variables in some tests. e0d78fb9b CMSIS-NN: Add Null bias check for DW conv (contiki-ng#1360) bff28575f Fix Coverity warnings. (contiki-ng#1359) f4b2bc081 Fixed bug in NN_ROUND() (contiki-ng#1295) e0848410d Fix read-out-of-bounds bug. (contiki-ng#1348) 8f6fcd019 CMake updates (contiki-ng#1357) 6c8ebf7a3 CMSIS-NN: Match im2col buffers to number of lanes(MVE) (contiki-ng#1355) e513dbdb2 CMSIS-NN: Add missing NULL bias check for conv_s8 (contiki-ng#1349) 9d9adb51f CMSIS-DSP: SDF improvement Event recorder improvements for the VHT implementation of the audio source and sink. 56d793ba4 CMSIS-NN: Do not unroll arm_nn_vec_mat_mult_t_s16() ref implementation (contiki-ng#1351) 64869aa85 CMSIS-DSP: Improve integration of VHT and SDF b04d71777 Utilities: Fix check_header.sh script. (contiki-ng#1352) b7a174ba3 CMSIS-DSP: Preliminary support for VHT in SDF. 8c60448c0 CMSIS-DSP: Added code size optimization for the SDF C++ generator. d788fd583 Docs Pack: Fixed broken text in the tutorial. f358f763b Added vendor ThinkTech:172 dca56050b CMSIS-DSP: Correction to MFCC Q15 node. efd2b93c8 Core: add missing Secure Fault syndrome registers and fix register name typo. (contiki-ng#1346) 91799570c Add core_star.h to support Arm China CPU core "STAR". (contiki-ng#1252) ac0f19701 CMSIS-DSP: SDFTools corrections Small issue in MFCC node. Corrected how literal and variable arguments are used. (Now it is more general in any order given by user). 79efd7dde Update system_ARMCM55.c (contiki-ng#1344) 972d541cc CMSIS-DSP: Improvements to some Python nodes of SDF. d7b6a57be CMSIS-DSP: Reworked sqrt q15 and q31 dd490bb23 fix issue contiki-ng#1266 1b56529ce Git: Force script files to use Unix line endings. b5600889f CMSIS-DSP: Add support to build with XCode 59ae4ee88 CMSIS-NN: Update softmax, svdf and pooling unit tests (contiki-ng#1338) 6a1158834 CMSIS-NN: Disable loop unroll in DW Conv (contiki-ng#1339) 2c2a70671 CMSIS-DSP: Add MFCC to SDFTools 4ede67652 Fix warning unused tmp variable (contiki-ng#1335) f42b2670f Ignore old c cast style not supported by apple cc (contiki-ng#1334) 15a1b2825 CMSIS-DSP: Additional fixes for issue contiki-ng#1328 513f2a918 CMSIS-DAP: Minor update in documentation (MCU-LINK example) (contiki-ng#1332) d165163c3 CMSIS-DAP: Add MCU-LINK example (contiki-ng#1331) 520994cb3 CMSIS-DSP: Correcting issue contiki-ng#1328 156cc72c0 CMSIS-DSP: Correcting issue contiki-ng#1285 97a91fdd3 DSP: Cleanup of type mismatches (contiki-ng#1327) a40852794 CMSIS-NN: Update conv, depthwise and fully_connected unit tests (contiki-ng#1321) ad7203248 CMSIS-DSP: Fixes to build with an additional compiler c48ca4e2d Adding support for Apple Compiler 2763f49ce CMSIS-DSP: Corrected some failing f16 tests. a41216311 GitHub: Fix fileheader workflow. 47d7a58c3 Utilities: Fix check_header script 17b64528d CMSIS-DSP: Corrected wrong test pattern for fixed point division. 18bfe3338 CMSIS-DSP: Corrected issue contiki-ng#1053 4a973d388 DSP: Eliminate some non-standard C code 880a94680 DSP: Eliminate some non-standard C code 12356a1a4 CMSIS-DSP: New MFCC Q15 and Q31 c6e5e852e ADIv6 extensions for SDF format 8048976f8 CMSIS-NN: Add -Ofast to unit tests and update README 19dc952c3 CMSIS-DSP: MVE versions of vlog q15 and q31 and PythonWrapper fix 0fd513ada DoxyGen: Fix broken links. 16aa21f57 DoxyGen: Fixed documentation of cache maintenance functions. e2b308c6b Updated BSP creation tutorial. eedb03509 CMSIS-DSP: Some small changes to thresholds used in test for Q15 convolution. 239448ed4 CMSIS-DSP: New f64 tests a2257dd49 Corrected the accessportV2 address type ea99ec2d0 Corrected address type for accessportv2. 10750a2b6 Added external links to <image> element. 539314518 Fixing double init values ef7a914cb Adding new f64 files to CMakeLists cb57df91d Removing defgroup from f64 & fixing double init values 4e6ee2840 Removing Doxygen group 6d64fcca5 Fixing double init value 346ff8b96 Implement some f64 methods ca1b51424 CMSIS-DSP: log f16 update c8ac9aaca Removed as superseded by pack_tutorial.txt 285816e38 CMSIS-DSP: Added MFCC F16 This first version is not very accurate due to problems with the log. A coming commit will improve the log accuracy. 0e83ba9de Correct interpol(...) arg in ComplexMathFunctions CMakeLists.txt e7de243a5 CMSIS-DSP: MFCC F32 60b4f2e62 Update requirtements.txt for unit tests ea60f7b09 Call wrapper function in depthwise_conv unit tests cbfe6e37b CMSIS-DSP: Correction os issue 1274 4f7f38fe1 CMSIS-DSP: Correcting issue 1289 A test check was disabled by mistake. 6e513eab3 CMSIS-DSP: Correcting issue 1291 Test was wrongly assuming a complex matrix / vector and so the buffer sizes were too big. 469840909 CMSIS-DSP: Correcting issue 1293 Missing const qualifier in linear interpolation 63d6063a2 CMSIS-DSP: Synchronous Data Flow c43379be6 Add DSP support for fully connected int16 9668dee6b add new vendor Socionext bb0700515 CMSIS-Driver: minor update of USART documentation 1ba622e25 CMSIS-NN: Build CMSIS-NN as a library 7450d1fb8 Added <interrupt> element to <zone> element in the *.fzone file 679f5bfc5 CMSIS-NN: Remove depdendency to CMSIS-DSP 463edef71 Class added to zone element 0fe4e1c16 CMSIS-NN: Adds support for int16 fully connected 78ed0ac44 CMSIS-NN: Update input constraint for arm_convolve_HWC_q15_fast bd3c3b199 Update README.md 01164235b CMSIS-NN: Optimized convolution for 16x8 data type 061f747ca clarifying mountedDevice b382bf4cb Added RPi 23917a71b Added RPi 76ef7838a Added FMSH 4d4838433 Added FMSH 5f69d4f79 Further fixes 2bf7756e1 Pointed Zone installation instructions to GH repo. 87b6799f7 GitHub: Add LinkChecker for DoxyGen. cafca218e GitHub: Add problem matcher for file header checker. b7e9379aa GitHub: Add action to check file headers. 68e9b6013 CMSIS-NN: Cleanup of CMSIS-DSP dependencies 0c9cd474a CMSIS-DSP: Scalar version for arm_vlog_q31 Added scalar version of arm_vlog_q15 454747173 Core(M): Fixup to the version history. d5d9f6dea people forgot the update the sub version... 61f5183d5 Added FMD 13e061819 Added FMD 6df0592c4 CMSIS-DSP: Correcting issue 1244 a0ba1d775 CMSIS-DSP : Correcting issue 1248 a6aec0c58 Fix PMU_Type in core_m55 and core_armv81mml. ee79c2197 CMSIS-NN: Add int16 conv kernel support fe90db31e CMSIS-NN: Update versions of packages in requirements.txt 5597007a0 [CMSIS-Build] Documentation: add cprj asflags "use" field description. b5d07f0f7 Jenkins/Docker: Update hadolint version. - Ignore hadolint warnings about not pinned version. e54ebc4fa Docker: Upgrade all Python packages as required. d12f5c2fe Docker: Remove pinned apt versions. ff2e43a1b Docker: Install python-matrix-runner from PyPI. 999d63b14 rtx-def: fix license - apache 2.0 9c57864cd CMSIS-DSP: Update to the README a6c2ec5e7 CMSIS-Zone documentation: linker_control added b67c66718 CMSIS-Zone: Error Messages added to Documentation 7d2371d12 Documentation for CMSIS-Zone Error Messages added. 72dd9172c CMSIS-DSP: Correction of issue 1217 Wrong initialization code for Neon version of biquad DF2T. Initialization function was trying to modify a const array. Added Neon function to Doxygen output and some correction because of Doxygen. 347ca08b5 CMSIS-DSP: Removed float promotion issues Corrected some additional warnings when compiling with AC5 compiler. Updated version numbers, 08b739316 [CMSIS-Build] Documentation: remove cbuild_uv.sh e2a89df62 [CMSIS-Build] Documentation: remove deprecated makefile generation and ccmerge. 321a6f919 Utilities: Enhanced gen_pack to be more resilient. - Generate pack outside of a Git repository. - Flag to ignore pack check errors. - Flag to overwrite pack version. e2ed3b0d0 CMSIS-DAP: synchronize DAP configuration (remove trailing whitespace) 46b8574e8 CMSIS-DAP: remove trailing whitespace on reference code. d12d2b568 Bump pack version after release. 7b68b445d GitHub: Fix release workflow. 6a2c5d7b2 Fix README link to pre-built documentation.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of defect
References:
https://github.com/contiki-ng/contiki-ng/tree/release/v4.5
https://github.com/contiki-ng/contiki-ng/tree/release/v4.4
File:
snmp-engine.c
snmp-message.c
Analysis:
Memory access out of buffer boundaries may occur if an SNMP request with number of OIDs larger than supported by the engine is received and processed.
The OIDs listed in a request are processed by snmp_message_decode() function without verification of the varbinds buffer capacity.
The buffer is allocated in .bss as a static variable:
contiki-ng/os/net/app-layer/snmp/snmp-engine.c
Line 208 in 23db957
The varbinds memory buffer is written with the values provided in SNMP request:
contiki-ng/os/net/app-layer/snmp/snmp-message.c
Line 245 in 23db957
The buffer capacity is determined at compile time by the following definition:
contiki-ng/os/net/app-layer/snmp/snmp-conf.h
Lines 81 to 87 in 23db957
If the number of variables in the request exceeds the allocated buffer a memory write out of the buffer boundaries occurs. The write operation beyond the buffer capacity provides possibility to overwrite other variables allocated in the .bss section by the application.
As the sender of the frame is in controll of the content that will be written beyond the buffer limits and there is no strict process memory separation in contiki-ng, this issue may allow overwriting of sensitive memory areas of IoT device.
Type:
Result:
Target(s) affected by this defect ?
Fix
Rudimentary fix to address the most critical aspect of the issue:
https://github.com/mjurczak/contiki-ng/tree/bugfix/snmp-engine
How is this defect reproduced ?
An example hex-encoded SNMP request causing out-of-bounds memory write to varbinds:
The text was updated successfully, but these errors were encountered: