mirror of
https://github.com/RIOT-OS/RIOT.git
synced 2024-12-29 04:50:03 +01:00
8a178f49e7
The TinyCBOR library takes a `size_t *` length argument in many functions which at function call contains the length of a buffer, and at exit the actual size of the data. The FIDO-2 code however uses `uint8_t` fields in `struct`s to store the data. Previously, a pointer to that `uint8_t` filed was just casted to `size_t *`, resulting in three neighboring bytes also being interpreted as being part of the buffer size - which could result in undetected buffer overflows. Similar, upon exit of the function not only the `uint8_t` sized length `struct` member but also three neighboring bytes were written to. I didn't care to investigate, but this really looks like crafted CBOR payloads send to the FIDO2 implementation could result in arbitrary code execution on the device. |
||
|---|---|---|
| .. | ||
| ctap | ||
| doc.txt | ||
| Kconfig | ||
| Makefile | ||