IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the gotoUrl parameter in the formPortalAuth function.

\# ip-com-11 vendor:IP-COM product:M50 version:V15.11.0.33(10768) type:Buffer Overflow author:Yifeng Li, Wolin Zhuang; ## Vulnerability description We found an buffer overflow vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows control “gotoUrl” to attack it. ## Buffer Overflow vulnerability In formPortalAuth function, the parameter “gotoUrl” is directly strcpy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow, and so on, we also can control the "gotoUrl" to attack it. !\[\](https://i.imgur.com/r1wi2Ym.png) ## PoC ### Buffer Overflow We set the value of “gotoUrl” as aaaaaaaaaaaaaaaaaaaaaaaaa…… and the router will cause buffer overflow.

CVE-2022-45719: ip-com-11 - HackMD

IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the picName parameter in the formDelWewifiPic function.

\# ip-com-13 vendor:IP-COM product:M50 version:V15.11.0.33(10768) type:Buffer Overflow author:Yifeng Li, Wolin Zhuang; ## Vulnerability description We found an buffer overflow vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows control the "picName" to attack it. ## Buffer Overflow vulnerability In formDelWewifiPic function, the parameter "picName" is directly sprintf to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow. !\[\](https://i.imgur.com/tq71QYs.png) ## PoC ### Buffer Overflow We set the value of “picName” as aaaaaaaaaaaaaaaaaaaaaaaaa…… and the router will cause buffer overflow.

CVE-2022-45721: ip-com-13 - HackMD

IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the hostname parameter in the formSetNetCheckTools function.

\# ip-com-7 vendor:IP-COM product:M50 version:V15.11.0.33(10768) type:Buffer Overflow author:Yifeng Li, Wolin Zhuang; ## Vulnerability description We found an buffer overflow vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows control “hostname” to attack it. ## Buffer Overflow vulnerability In formSetNetCheckTools function, the parameter “hostname” is directly strncpy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow, and so on, we also can control the hostname to attack it. !\[\](https://i.imgur.com/Z4rJNQg.png) ## PoC ### Buffer Overflow We set the value of “hostname” as aaaaaaaaaaaaaaaaaaaaaaaaa…… and the router will cause buffer overflow.

CVE-2022-45706: ip-com-7 - HackMD

IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the rules parameter in the formAddDnsHijack function.

\# ip-com-4 vendor:IP-COM product:M50 version:V15.11.0.33(10768) type:Buffer Overflow author:Yifeng Li, Wolin Zhuang; ## Vulnerability description We found an buffer overflow vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows control rules to attack it. ## Buffer Overflow vulnerability In formAddDnsHijack function, the parameter “rules” is directly strcpy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow. !\[\](https://i.imgur.com/r0S6kiT.png) !\[\](https://i.imgur.com/dvQ5sJL.png) ## PoC ### Buffer Overflow We set the value of “rules” as aaaaaaaaaaaaaaaaaaaaaaaaa…… and the router will cause buffer overflow.

CVE-2022-45707: ip-com-4 - HackMD

IP-COM M50 V15.11.0.33(10768) was discovered to contain multiple buffer overflows via the pEnable, pLevel, and pModule parameters in the formSetDebugCfg function.

\# ip-com-1 vendor:IP-COM product:M50 version:V15.11.0.33(10768) type:Buffer Overflow author:Yifeng Li, Wolin Zhuang; ## Vulnerability description We found an buffer overflow vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows control the pEnable, pLevel or pModule to attack it. ## Buffer Overflow vulnerability In formSetDebugCfg function, the parameter “pEnable”,"pLevel"and "pModule" is directly sprintf to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow, and so on, we also can control the pEnable, pLevel or pModule to attack it. !\[\](https://i.imgur.com/ivIkNZN.png) ## PoC ### Buffer Overflow We set the value of “pEnable”,"pLevel" or "pModule" as aaaaaaaaaaaaaaaaaaaaaaaaa…… and the router will cause buffer overflow.

CVE-2022-45710: ip-com-1 - HackMD

IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the sPortMapIndex parameter in the formDelPortMapping function.

\# ip-com-6 vendor:IP-COM product:M50 version:V15.11.0.33(10768) type:Buffer Overflow author:Yifeng Li, Wolin Zhuang; ## Vulnerability description We found an buffer overflow vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows control “sPortMapIndex” to attack it. ## Buffer Overflow vulnerability In formDelPortMapping function, the parameter “sPortMapIndex” is directly strcpy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow, and so on, we also can control the sPortMapIndex to attack it. !\[\](https://i.imgur.com/VlYhDbn.png) ## PoC ### Buffer Overflow We set the value of “sPortMapIndex” as aaaaaaaaaaaaaaaaaaaaaaaaa…… and the router will cause buffer overflow.

CVE-2022-45708: ip-com-6 - HackMD

An issue was discovered in ksmbd in the Linux kernel before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command.

Permalink

Browse files

ksmbd: fix heap-based overflow in set\_ntacl\_dacl()

The testcase use SMB2\_SET\_INFO\_HE command to set a malformed file attribute
under the label \`security.NTACL\`. SMB2\_QUERY\_INFO\_HE command in testcase
trigger the following overflow.

\[ 4712.003781\] ==================================================================
\[ 4712.003790\] BUG: KASAN: slab-out-of-bounds in build\_sec\_desc+0x842/0x1dd0 \[ksmbd\]
\[ 4712.003807\] Write of size 1060 at addr ffff88801e34c068 by task kworker/0:0/4190

\[ 4712.003813\] CPU: 0 PID: 4190 Comm: kworker/0:0 Not tainted 5.19.0-rc5 #1
\[ 4712.003850\] Workqueue: ksmbd-io handle\_ksmbd\_work \[ksmbd\]
\[ 4712.003867\] Call Trace:
\[ 4712.003870\]  <TASK>
\[ 4712.003873\]  dump\_stack\_lvl+0x49/0x5f
\[ 4712.003935\]  print\_report.cold+0x5e/0x5cf
\[ 4712.003972\]  ? ksmbd\_vfs\_get\_sd\_xattr+0x16d/0x500 \[ksmbd\]
\[ 4712.003984\]  ? cmp\_map\_id+0x200/0x200
\[ 4712.003988\]  ? build\_sec\_desc+0x842/0x1dd0 \[ksmbd\]
\[ 4712.004000\]  kasan\_report+0xaa/0x120
\[ 4712.004045\]  ? build\_sec\_desc+0x842/0x1dd0 \[ksmbd\]
\[ 4712.004056\]  kasan\_check\_range+0x100/0x1e0
\[ 4712.004060\]  memcpy+0x3c/0x60
\[ 4712.004064\]  build\_sec\_desc+0x842/0x1dd0 \[ksmbd\]
\[ 4712.004076\]  ? parse\_sec\_desc+0x580/0x580 \[ksmbd\]
\[ 4712.004088\]  ? ksmbd\_acls\_fattr+0x281/0x410 \[ksmbd\]
\[ 4712.004099\]  smb2\_query\_info+0xa8f/0x6110 \[ksmbd\]
\[ 4712.004111\]  ? psi\_group\_change+0x856/0xd70
\[ 4712.004148\]  ? update\_load\_avg+0x1c3/0x1af0
\[ 4712.004152\]  ? asym\_cpu\_capacity\_scan+0x5d0/0x5d0
\[ 4712.004157\]  ? xas\_load+0x23/0x300
\[ 4712.004162\]  ? smb2\_query\_dir+0x1530/0x1530 \[ksmbd\]
\[ 4712.004173\]  ? \_raw\_spin\_lock\_bh+0xe0/0xe0
\[ 4712.004179\]  handle\_ksmbd\_work+0x30e/0x1020 \[ksmbd\]
\[ 4712.004192\]  process\_one\_work+0x778/0x11c0
\[ 4712.004227\]  ? \_raw\_spin\_lock\_irq+0x8e/0xe0
\[ 4712.004231\]  worker\_thread+0x544/0x1180
\[ 4712.004234\]  ? \_\_cpuidle\_text\_end+0x4/0x4
\[ 4712.004239\]  kthread+0x282/0x320
\[ 4712.004243\]  ? process\_one\_work+0x11c0/0x11c0
\[ 4712.004246\]  ? kthread\_complete\_and\_exit+0x30/0x30
\[ 4712.004282\]  ret\_from\_fork+0x1f/0x30

This patch add the buffer validation for security descriptor that is
stored by malformed SMB2\_SET\_INFO\_HE command. and allocate large
response buffer about SMB2\_O\_INFO\_SECURITY file info class.

Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17771
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

*   Loading branch information

CVE-2022-47942: ksmbd: fix heap-based overflow in set_ntacl_dacl() · torvalds/linux@8f05411

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in the master branch.

This is a continuation of GHSA-9pfh-r8x4-w26w.

**Impact**

Possible buffer overread when parsing a specially crafted STUN message. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB.

**Patches**

The patch is available as commit bc4812d in the master branch.

**For more information**

If you have any questions or comments about this advisory:  
Email us at security@pjsip.org

**Reporter**

google/oss-fuzz

CVE-2022-23547: Heap buffer overflow when decoding STUN message (2)

A heap based buffer overflow vulnerability exists in tile decoding code of TIFF image parser in OpenImageIO master-branch-9aeece7a and v2.3.19.0. A specially-crafted TIFF file can lead to an out of bounds memory corruption, which can result in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2022-41639: TALOS-2022-1633 || Cisco Talos Intelligence Group

A code execution vulnerability exists in the DDS scanline parsing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially-crafted .dds can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

Tag

#buffer_overflow