Open 0xdea opened 11 months ago
Hi, it's been one month since I reported this vulnerability, and I wanted to ask if you have any update. As standard practice, I plan to request a CVE ID for every confirmed vulnerability. I also intend to publish an advisory by February at the latest, unless there's a specific reason to postpone. Thanks!
Hi there, CVE-2024-25388 was assigned to this vulnerability. I'm planning to publish my security advisory and writeup on March 5th. Thanks.
Hi,
I would like to report another potential vulnerability in the current version of RT-Thread. Please let me know if you plan to ask for a CVE ID in case the vulnerability is confirmed. I'm available if you need further clarifications.
Potential heap buffer overflow in RT-Thread wlan driver
Summary
I spotted a potential heap buffer overflow vulnerability at the following location in the RT-Thread wlan driver source code: https://github.com/RT-Thread/rt-thread/blob/master/components/drivers/wlan/wlan_mgnt.c#L215-L226
Details
Since
len
is a signed integer in thert_wlan_send_to_thread()
function, a small negative value could lead to a buffer overflow at the marked lines:Impact
If the signed size above is confirmed to be attacker-controlled and the input is crossing a security boundary, the impact of the reported buffer overflow vulnerability could range from denial of service to arbitrary code execution.