Impact
A remote out of bounds write vulnerability was discovered in the DASH7 Alliance Protocol implementation of the Sub-IoT stack. A remote attacker could craft a malicious packet which could overwrite max 255 bytes in a statically allocated memory structure. In the default configuration, the overflow region does not contain any function pointers and since this variable is not allocated on the stack, we think it is not possible to trigger a remote code execution in any way. Users who reconfigured the MODULE_D7AP_PACKET_QUEUE_SIZE to 2 (from the default value 3) might be able to overwrite other memory contents, depending on other options and the compiler toolchain and settings used.
Patches
The vulnerability was fixed in the 0.5.0 release.
Credits
The vulnerability was discovered with the help of Firmalyzer's automated firmware analysis engine.
For more information
If you have any questions or comments about this advisory please open an issue in the GitHub repository or send a message in the gitter channel.
Impact
A remote out of bounds write vulnerability was discovered in the DASH7 Alliance Protocol implementation of the Sub-IoT stack. A remote attacker could craft a malicious packet which could overwrite max 255 bytes in a statically allocated memory structure. In the default configuration, the overflow region does not contain any function pointers and since this variable is not allocated on the stack, we think it is not possible to trigger a remote code execution in any way. Users who reconfigured the
MODULE_D7AP_PACKET_QUEUE_SIZEto 2 (from the default value 3) might be able to overwrite other memory contents, depending on other options and the compiler toolchain and settings used.Patches
The vulnerability was fixed in the 0.5.0 release.
Credits
The vulnerability was discovered with the help of Firmalyzer's automated firmware analysis engine.
For more information
If you have any questions or comments about this advisory please open an issue in the GitHub repository or send a message in the gitter channel.