Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-5055: L2CAP: Possible Stack based buffer overflow in le_ecred_reconf_req()

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.

CVE
Open in Source
#vulnerability#git#buffer_overflow

Summary

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.

Details

If buf->len is bigger than sizeof(chans) / sizeof(scid) times sizeof(scid), then chan_count can become bigger than L2CAP_ECRED_CHAN_MAX_PER_REQ (which is 5).

It can lead to Out-Of-Bounds write on line 1385 (https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/bluetooth/host/l2cap.c#L1385).

Also, below, on line 1399 and 1400, there is a write to chan.tx. mtu and msp come from request.

Patches

main (v3.5 development cycle) #62381

For more information

If you have any questions or comments about this advisory:

Open an issue in zephyr
Email us at Zephyr-vulnerabilities
embargo: 2023-11-01

Related news

CVE-2021-3434

Stack based buffer overflow in le_ecred_conn_req(). Zephyr versions >= v2.5.0 Stack-based Buffer Overflow (CWE-121). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8w87-6rfp-cfrm

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE