Integer overflow (leading to stack-based buffer overflow) in embedded lua_struct.c

nodemcu / nodemcu-firmware

Lua based interactive firmware for ESP8266, ESP8285 and ESP32

https://nodemcu.readthedocs.io

MIT License

7.61k stars 3.12k forks source link

Integer overflow (leading to stack-based buffer overflow) in embedded lua_struct.c #3626

Open Crispy-fried-chicken opened 5 months ago

Crispy-fried-chicken commented 5 months ago

getnum in app/modules/struct.c potentially has an integer overflow if fmt is set too large. It might be triggered by running such lua statement: EVAL "struct.pack('>I2147483648', '10')" 0 It can be easily avoid by adding a bound check in getnum, and I'd like to open a PR for that if necessary.

pjsg commented 5 months ago

Please open a PR for that.

Crispy-fried-chicken commented 5 months ago

Please open a PR for that.

Sure, I've already opened, which is https://github.com/nodemcu/nodemcu-firmware/pull/3633 please check it, thank you!