As a workaround, one can apply the changes in Contiki-NG pull request #2509 to patch the system. As of time of publication, a patched version is not available. As a result, an attacker can inject a packet that causes an out-of-bound read. The value of `postcount` depends on the address compression used in the received packet and can be controlled by the attacker. Therefore, up to 16 bytes can be read out of bounds on the line with the statement `memcpy(&ipaddr->u8, iphc_ptr, postcount) `. But no similar check is done before decompressing the IPv6 address. In versions 4.9 and prior, when processing the various IPv6 header fields during IPHC header decompression, Contiki-NG confirms the received packet buffer contains enough data as needed for that field. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue.Ĭontiki-NG is an operating system for internet-of-things devices. This can remotely crash any Fast-DDS process. At the second memcpy, both `data` and `size` can be controlled by anyone that sends the CDR string to the discovery multicast port. In `eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper`, `memcpy` is called to first copy the octet'ized length and then to copy the data into `properties_.data`. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. This issue may be used to leak internal memory allocation information.Įprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. This happens because two_back points to a memory address lower than the start of the buffer out. A crafted image file may trigger out of bounds memcpy read in `stbi_gif_load_next`. Stb_image is a single file MIT licensed library for processing images. A crafted image file can trigger `memcpy` out-of-bounds read because `bytes_per_pixel` used to calculate `bytes_per_row` doesn’t match the real image array dimensions. When `stbi_set_flip_vertically_on_load` is set to `TRUE` and `req_comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |