漏洞标题
由于RIOT中的assert()和缓冲区溢出,导致大小检查无效
漏洞描述信息
RIOT是一个实时多线程操作系统,支持一系列通常为8位、16位和32位微控制器的设备。大多数代码库都定义了断言宏,在非调试构建中编译为空操作。如果断言是防止不受信任输入的唯一防线,那么软件可能会受到利用缺乏适当输入检查的攻击。具体来说,在下面的`nimble_scanlist_update()`函数中,`len`在断言中进行检查,然后在对`memcpy()`的调用中使用。如果攻击者能够在禁用断言的情况下提供更大的`len`值,他们可以写入固定长度的`e->ad`缓冲区的末尾之外。如果上述未检查的输入受攻击者控制并且跨越安全边界,缓冲区溢出漏洞的影响可能从拒绝服务到任意代码执行。此问题尚未修补。建议用户添加手动的`len`检查。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
输入验证不恰当
漏洞标题
Ineffective size check due to assert() and buffer overflow in RIOT
漏洞描述信息
RIOT is a real-time multi-threading operating system that supports a range of devices that are typically 8-bit, 16-bit and 32-bit microcontrollers. Most codebases define assertion macros which compile to a no-op on non-debug builds. If assertions are the only line of defense against untrusted input, the software may be exposed to attacks that leverage the lack of proper input checks. In detail, in the `nimble_scanlist_update()` function below, `len` is checked in an assertion and subsequently used in a call to `memcpy()`. If an attacker is able to provide a larger `len` value while assertions are compiled-out, they can write past the end of the fixed-length `e->ad` buffer. If the unchecked input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to arbitrary code execution. This issue has not yet been patched. Users are advised to add manual `len` checking.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
未进行输入大小检查的缓冲区拷贝(传统缓冲区溢出)
漏洞标题
RIOT RIOT-OS 安全漏洞
漏洞描述信息
RIOT RIOT-OS是一套应用于物联网领域的操作系统。 RIOT RIOT-OS存在安全漏洞,该漏洞源于缺乏适当输入检查,通过 assert()可能会导致 RIOT 缓冲区溢出。
CVSS信息
N/A
漏洞类别
其他