Fixed buffer overflow vuln with netloader args introduced with the original netloader commit. Fixed unrelated bounds check in launchAddArg() which assumed there was nothing after argData_s.buf within argData_s, which was no longer the case once nxlink_host was added to argData_s.

2018-10-27 16:08:39 -04:00 · 2018-10-27 16:08:39 -04:00 · d616ed02a7
commit d616ed02a7
parent 1435a2fb3b
2 changed files with 3 additions and 1 deletions
--- a/common/launch.c
+++ b/common/launch.c
@ -2,7 +2,7 @@

 size_t launchAddArg(argData_s* ad, const char* arg) {
    size_t len = strlen(arg)+1;
-    if ((ad->dst+len) >= (char*)(ad+1)) return len; // Overflow
+    if ((ad->dst+len) >= (char*)(ad->buf + sizeof(ad->buf))) return len; // Overflow
    ad->buf[0]++;
    strcpy(ad->dst, arg);
    ad->dst += len;
--- a/common/netloader.c
+++ b/common/netloader.c
@ -464,6 +464,8 @@ int loadnro(menuEntry_s *me, int sock, struct in_addr remote) {
            }

            if (response == 0 ) {
+                if (netloaded_cmdlen > sizeof(me->args.buf)-1) netloaded_cmdlen = sizeof(me->args.buf)-1;
+
                len = recvall(sock,me->args.dst, netloaded_cmdlen,0);

                if (len != netloaded_cmdlen) {