Summary
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.
Details
If buf->len is bigger than sizeof(chans) / sizeof(scid) times sizeof(scid), then chan_count can become bigger than L2CAP_ECRED_CHAN_MAX_PER_REQ (which is 5).
It can lead to Out-Of-Bounds write on line 1385 (https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/host/l2cap.c#L1385).
Also, below, on line 1399 and 1400, there is a write to chan.tx. mtu and msp come from request.
Patches
main (v3.5 development cycle) #62381
For more information
If you have any questions or comments about this advisory:
Open an issue in zephyr
Email us at Zephyr-vulnerabilities
embargo: 2023-11-01
sploitem Reporter
Summary
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.
Details
If buf->len is bigger than sizeof(chans) / sizeof(scid) times sizeof(scid), then chan_count can become bigger than L2CAP_ECRED_CHAN_MAX_PER_REQ (which is 5).
It can lead to Out-Of-Bounds write on line 1385 (https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/host/l2cap.c#L1385).
Also, below, on line 1399 and 1400, there is a write to chan.tx. mtu and msp come from request.
Patches
main (v3.5 development cycle) #62381
For more information
If you have any questions or comments about this advisory:
Open an issue in zephyr
Email us at Zephyr-vulnerabilities
embargo: 2023-11-01