Security vulnerabilities and automated fixes for embedded security issues
20 posts found
A critical heap buffer overflow vulnerability was discovered in `lib/OpdsParser/OpdsParser.cpp`, where the buffer allocation size was calculated *after* a fixed chunk size was used to allocate memory, meaning the actual bytes read could exceed the allocated buffer. On embedded devices parsing untrusted OPDS catalog data from the network, this flaw could allow a remote attacker to corrupt heap memory and potentially achieve arbitrary code execution. The fix was elegantly simple: move the `toRead`
A subtle but dangerous integer overflow vulnerability was discovered in `lib/rpmi_shmem.c`, where bounds checks on shared memory operations could be silently bypassed due to 32-bit arithmetic overflow. By carefully crafting `offset` and `len` values, an OS-level or hypervisor-level caller could direct firmware writes to arbitrary memory addresses — including interrupt vector tables and security-critical configuration structures. The fix was elegantly simple: casting operands to 64-bit before add
A high-severity out-of-bounds access vulnerability was discovered and patched in the `py32ioexp` Linux GPIO expander driver. The `py32io_gpio_direction_input()` function failed to validate a user-supplied pin offset against the chip's declared GPIO count, opening the door to memory corruption via the GPIO character device interface. A two-line bounds check now closes the vulnerability cleanly and efficiently.
A critical buffer overflow vulnerability was discovered in the RC device request parser (`rcdevice.c`), where incoming packet data was written to a fixed-size buffer using an attacker-controlled length field as the only guard. Because the expected data length was parsed directly from the packet without being validated against the actual allocated buffer size, a malicious packet could overflow the buffer and overwrite adjacent stack or heap memory with arbitrary bytes. The fix adds a single, esse
A critical buffer overflow vulnerability was discovered in `serial.c`, where the `rs232_buffered_input` function could write more bytes than the destination buffer `rs232_ibuff` could hold — with no size limit to stop it. An attacker with access to the RS-232 serial port could exploit this to overwrite adjacent OS memory, including return addresses and critical data structures. The fix adds a simple but essential bounds check that clamps the returned byte count to the actual buffer size.
A critical stack buffer overflow vulnerability was discovered in `ftm_file.cpp`, where unchecked `strcpy()` calls allowed attacker-controlled filenames from crafted FTM files to overwrite stack memory, including the saved return address, enabling arbitrary code execution on ESP32 devices. The fix replaces both dangerous `strcpy()` calls with bounds-checked `strncpy()` plus explicit null-termination, eliminating the overflow vector entirely. This is a textbook reminder that unsafe C string functi
A critical heap buffer overflow vulnerability was discovered in the `lwip_hosted_rx_input` function of the lwIP hosted wireless driver, where raw network frames from an ESP-hosted interface were copied into packet buffers without validating the frame length against the buffer's maximum capacity. Because `pbuf_alloc` uses an unsigned 16-bit integer for size, an attacker on the same wireless network could craft a packet with an oversized length field, causing silent integer truncation and subseque
A critical integer overflow vulnerability (CWE-190 → CWE-122) was discovered and fixed in an embedded ESP web server, where the HTTP Content-Length header value was cast to a signed integer and used directly in a `malloc()` call without proper size validation. On 32-bit systems, a crafted request with a maximum-sized Content-Length value could cause the allocation size to wrap to zero, allowing an attacker to overflow the heap with arbitrary data. The fix correctly validates the signed header va
A high-severity vulnerability in ESP32 firmware allowed attackers to trigger stack and heap corruption by sending malformed UART frames shorter than expected to an mmWave sensor driver. Multiple `memcpy` operations copied data into fixed-size local variables without first verifying the source buffer was large enough, opening the door to arbitrary code execution. The fix replaces magic-number length guards with `sizeof()`-based checks that are portable, self-documenting, and provably correct.
A medium-severity vulnerability in the ESP32-audioI2S library allowed audio streaming credentials to be transmitted via HTTP Basic Authentication over unencrypted HTTP connections, making them trivially recoverable by anyone on the same network. The fix gates the Authorization header behind an SSL/TLS check, ensuring credentials are only sent when the connection is encrypted. For embedded IoT devices where credentials are often hardcoded in firmware, this kind of passive interception risk is esp
A critical buffer overflow vulnerability was discovered in the Meshtastic firmware's radio packet handler, where an unchecked `memcpy` operation allowed any node on the mesh network to send a crafted packet with an oversized payload length field, potentially overwriting adjacent memory. Because Meshtastic mesh nodes communicate without authentication, this vulnerability was remotely exploitable by any attacker within radio range — or even further through mesh relay. The fix adds a simple but ess
A critical out-of-bounds memory access vulnerability was discovered in the FatFSUSB library used by the micro-journal ESP32 firmware, where memcpy operations on a sector buffer accepted attacker-controlled offset and size values from USB SCSI commands without any bounds validation. A malicious USB host could craft SCSI READ/WRITE commands to corrupt memory, potentially crashing the device or executing arbitrary code. The fix adds a simple but essential bounds check before every memcpy operation,