Skip to content

Bluetooth: Mesh: Network buffer overflow on too long proxy messages #31911

New issue
New issue
Closed
Bug
#31909
Closed
Bluetooth: Mesh: Network buffer overflow on too long proxy messages#31911
Bug
#31909
Assignees
trond-snekvik
Labels
area: Bluetootharea: Bluetooth MeshbugThe issue is a bug, or the PR is fixing a bugpriority: highHigh impact/importance bug
Milestone
v2.5.0
@trond-snekvik

Description

@trond-snekvik
trond-snekvik
opened on Feb 3, 2021

The network decode function does not check the max length of the input mesage, which can exceed the spec-mandated 29 bytes when coming from the proxy module. This can overflow the decode out buffer, which is defined as 29 bytes in proxy and net_recv.
By default, this will assert in net/buf.c, but if netbuf asserts are disabled, this will overflow the target buffer on stack.

Fixed by #31909.

Metadata

Metadata

Assignees

Labels

area: Bluetootharea: Bluetooth MeshbugThe issue is a bug, or the PR is fixing a bugpriority: highHigh impact/importance bug

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions