Unchecked user input length in the Zephyr Settings Shell

Summary

Unchecked length coming from user input in settings shell:
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/settings/src/settings_shell.c#L184C9-L184C9

Details

static int cmd_write(const struct shell *shell_ptr, size_t argc, char *argv[])
{
    int err;
    uint8_t buffer[CONFIG_SHELL_CMD_BUFF_SIZE / 2];
    size_t buffer_len = 0;
    enum settings_value_types value_type = SETTINGS_VALUE_HEX;

    if (argc > 3) {
        err = settings_parse_type(argv[1], &value_type);
        if (err) {
            shell_error(shell_ptr, "Invalid type: %s", argv[1]);
            return err;
        }
    }

    switch (value_type) {
    case SETTINGS_VALUE_HEX:
        buffer_len = hex2bin(argv[argc - 1], strlen(argv[argc - 1]),
            buffer, sizeof(buffer));
        break;
    case SETTINGS_VALUE_STRING:
        buffer_len = strlen(argv[argc - 1]) + 1; // CAN BE GREATER THAN CONFIG_SHELL_CMD_BUFF_SIZE / 2
        memcpy(buffer, argv[argc - 1], buffer_len); // VULN
        break;
    }

Patches

main: #66451
v3.5: #66584

embargo: 2024-02-18

For more information

If you have any questions or comments about this advisory:

Open an issue in zephyr
Email us at Zephyr-vulnerabilities

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Unchecked user input length in the Zephyr Settings Shell

Package

Affected versions

Patched versions

Description

Summary

Details

Patches

For more information

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Stack-based Buffer Overflow

Credits