This was identified during fuzz testing as part of the pre-release security review. The team decided it was not a vulnerability and was deferred to post-release to Ledger Live.
Issue can be reproduced by building the app with clang 10/11 (outside of Nix) and running the fuzzer for 5-10 minutes, as shown here.
This was identified during fuzz testing as part of the pre-release security review. The team decided it was not a vulnerability and was deferred to post-release to Ledger Live.
Issue can be reproduced by building the app with clang 10/11 (outside of Nix) and running the fuzzer for 5-10 minutes, as shown here.
https://github.com/obsidiansystems/ledger-app-nervos/blob/a50c21dc390be77cca600f51e221721c5a80fc0f/src/apdu_sign.c#L807