mirror of
https://github.com/RIOT-OS/RIOT.git
synced 2024-12-29 04:50:03 +01:00
8a178f49e7
The TinyCBOR library takes a `size_t *` length argument in many functions which at function call contains the length of a buffer, and at exit the actual size of the data. The FIDO-2 code however uses `uint8_t` fields in `struct`s to store the data. Previously, a pointer to that `uint8_t` filed was just casted to `size_t *`, resulting in three neighboring bytes also being interpreted as being part of the buffer size - which could result in undetected buffer overflows. Similar, upon exit of the function not only the `uint8_t` sized length `struct` member but also three neighboring bytes were written to. I didn't care to investigate, but this really looks like crafted CBOR payloads send to the FIDO2 implementation could result in arbitrary code execution on the device. |
||
---|---|---|
.. | ||
transport | ||
ctap_cbor.c | ||
ctap_crypto.c | ||
ctap_mem.c | ||
ctap_utils.c | ||
ctap.c | ||
Kconfig | ||
Makefile |