Security Vulnerability - Action Required: Heap Overflow in your project since the newest version

[Crispy-fried-chicken]

Hi, I think your project may be vulnerable to insufficient bounds checking during management of heap memory in the function of pvPortMalloc (size_t xWantedSize) in the file examples/stm32/nucleo-f746zg-cube-freertos/Middlewares/Third_Party/FreeRTOS/Source/portable/MemMang/heap_4.c. It shares similarities to a recent CVE disclosure CVE-2021-32020 in the FreeRTOS.

The source vulnerability information is as follows:

Vulnerability Detail: CVE Identifier: CVE-2021-32020 Description: The kernel in Amazon Web Services FreeRTOS before 10.4.3 has insufficient bounds checking during management of heap memory. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-32020 Patch: https://github.com/FreeRTOS/FreeRTOS-Kernel/commit/c7a9a01c94987082b223d3e59969ede64363da63

Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!

[cpq]

@Crispy-fried-chicken heap_4.c is FreeRTOS file, not ours. Is your intention to make a PR against it?

[Crispy-fried-chicken]

@cpq Yes, I've already make a PR which is https://github.com/cesanta/mongoose/pull/2878. Maybe you can review it?

[scaprile]

@Crispy-fried-chicken please do not open several issues for the same subject, #2879

• The file you mention does not exist. You are probably referring to an old release. You did not follow the issue template. I can get what you try to mean, anyway.
• The file you mention is automatically added by STM32CubeIDE and STM32CubeMX tools when one works on a project, those files do not belong to Mongoose, what you mention is one of several examples of using that tool with Mongoose, that is not Mongoose code.

• The file you mention belongs to Amazon:

  • • Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.

  • Please address your concerns to them

• The file you mention is in several versions in several examples all over our repo and all over the world. It will be removed when we remove that example, or it will change when and if we update that example, when and if ST did update their HAL library to a newer version, if and when the FreeRTOS team had changed that and ST chose a version with that fixed.

Thanks for your concerns, once again, that is vendor code, just a usage example, not our code.