From d616ed02a7469f03584d4297c4c3d7965e0c9fb0 Mon Sep 17 00:00:00 2001 From: yellows8 Date: Sat, 27 Oct 2018 16:08:39 -0400 Subject: [PATCH] Fixed buffer overflow vuln with netloader args introduced with the original netloader commit. Fixed unrelated bounds check in launchAddArg() which assumed there was nothing after argData_s.buf within argData_s, which was no longer the case once nxlink_host was added to argData_s. --- common/launch.c | 2 +- common/netloader.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/common/launch.c b/common/launch.c index 16e660c..7bd8684 100644 --- a/common/launch.c +++ b/common/launch.c @@ -2,7 +2,7 @@ size_t launchAddArg(argData_s* ad, const char* arg) { size_t len = strlen(arg)+1; - if ((ad->dst+len) >= (char*)(ad+1)) return len; // Overflow + if ((ad->dst+len) >= (char*)(ad->buf + sizeof(ad->buf))) return len; // Overflow ad->buf[0]++; strcpy(ad->dst, arg); ad->dst += len; diff --git a/common/netloader.c b/common/netloader.c index 6595148..dd3ad6a 100644 --- a/common/netloader.c +++ b/common/netloader.c @@ -464,6 +464,8 @@ int loadnro(menuEntry_s *me, int sock, struct in_addr remote) { } if (response == 0 ) { + if (netloaded_cmdlen > sizeof(me->args.buf)-1) netloaded_cmdlen = sizeof(me->args.buf)-1; + len = recvall(sock,me->args.dst, netloaded_cmdlen,0); if (len != netloaded_cmdlen) {