Category

Network Security

Security vulnerabilities and automated fixes for network security issues

26 posts found

critical8 min

How integer overflow happens in C reliable.c and how to fix it

A critical integer overflow vulnerability was discovered in `reliable.c` at line 1299, where the `packet_buffer_size` calculation used signed `int` arithmetic that could wrap to a negative or undersized value when large `fragment_size` values were involved. By casting each operand to `size_t` before multiplication, the fix eliminates the overflow risk entirely and ensures the allocated buffer is always large enough to hold the reassembled packet data.

#integer-overflow#c#cwe-190+4 more
O
orbisai0security
Jul 9, 2026
critical5 min

How heap buffer overflow happens in C memcpy() with untrusted PDU length and how to fix it

A critical heap buffer overflow vulnerability was discovered in the Net-SNMP agent's trap handling code where `memcpy()` copied data from a network-controlled PDU without validating that the destination buffer could hold it. An attacker could craft a malicious SNMPv1 trap with an oversized `enterprise_length` field to corrupt heap memory. The fix adds a simple bounds check against `MAX_OID_LEN` before the copy operation.

#security#buffer-overflow#c+4 more
O
orbisai0security
Jun 19, 2026
critical8 min

How buffer overflow happens in C MCP protocol parsing and how to fix it

A critical buffer overflow vulnerability (CWE-120) was discovered in the `mcp_frame_process_input()` function in `src/mcp.c` at line 1384. The function used unsafe `strncpy()` calls to copy network-sourced MCP protocol messages into fixed-size buffers without proper bounds checking, allowing remote attackers to overflow the buffer and potentially execute arbitrary code. The fix replaced all `strncpy()` calls with `snprintf()` and added a buffer size validation check.

#buffer-overflow#c-security#cwe-120+4 more
O
orbisai0security
Jun 17, 2026
critical6 min

How out-of-bounds read via unchecked memcpy happens in C packet processing and how to fix it

A critical out-of-bounds read vulnerability was discovered in `hep-tester/heptester.c` where `memcpy` calls at lines 200-201 read from fixed offsets in a packet buffer without verifying the buffer was large enough. An attacker could send a crafted packet shorter than 18 bytes to trigger the read, potentially leaking memory contents or crashing the capture agent. The fix adds a single bounds check against `pkthdr->caplen` before any memory copy operations.

#security#c#buffer-overflow+4 more
O
orbisai0security
Jun 3, 2026
critical7 min

Shallow Copy Memory Corruption in ShadowsocksR server.c Buffer Handling

A critical memory corruption vulnerability in ShadowsocksR's server.c allowed attackers to exploit shallow buffer copies through crafted network packets. The vulnerable memcpy operations at line 686 copied buffer_t structures containing pointers without deep copying the underlying data, creating use-after-free conditions when buffers were reallocated between copy and restore operations.

#use-after-free#memory-corruption#shadowsocksr+4 more
O
orbisai0security
Jun 2, 2026
critical10 min

Critical Heap Buffer Overflow in SSDP Control Point: How Unbounded String Operations Put Networks at Risk

A critical heap buffer overflow vulnerability was discovered and patched in the SSDP control point implementation (`ssdp_ctrlpt.c`), where multiple unbounded `strcpy` and `strcat` operations constructed HTTP request buffers without any length validation. Network-received SSDP response fields — including service type strings and location URLs — could be crafted by an attacker to exceed buffer boundaries, potentially enabling arbitrary code execution or denial of service. The fix replaces the unsa

#buffer-overflow#c-security#upnp+4 more
O
orbisai0security
May 28, 2026
high8 min

Securing rpcbind: How Unauthenticated RPC Registration Exposes NFS Infrastructure

A high-severity vulnerability was discovered in an NFS utilities configuration where rpcbind (port 111) accepted RPC service registrations without any authentication, allowing any network-accessible attacker to register malicious services under legitimate RPC program numbers and redirect NFS clients. The fix adds critical security documentation and network isolation guidance, ensuring operators understand that rpcbind must be protected by host-level firewalling or Kubernetes network policies to

#nfs#rpcbind#network-security+4 more
O
orbisai0security
May 28, 2026
critical8 min

Critical DHCP Heap Overflow: How a Missing Bounds Check Opens the Door to Memory Corruption

A critical heap buffer overflow vulnerability was discovered in a DHCP server implementation where the hardware address length field (`hlen`) from an attacker-controlled packet was trusted without validation, allowing up to 239 bytes of heap corruption. The fix adds a simple bounds check before the memory copy, ensuring the copy length never exceeds the destination buffer size. This type of vulnerability can lead to remote code execution, denial of service, or full system compromise in network-f

#buffer-overflow#dhcp#embedded-systems+4 more
O
orbisai0security
May 28, 2026
critical7 min

Heap Buffer Overflow in ShadowsocksR: How a Missing Bounds Check Could Let Attackers Crash Your Server

A critical heap buffer overflow vulnerability was discovered in ShadowsocksR-libev's server.c, where network-supplied data was copied into fixed-size heap buffers without verifying that the source length fit within the destination. An attacker could craft a malicious packet with an oversized length field to overflow the heap, potentially enabling remote code execution or denial of service. The fix adds proper bounds checking, null pointer validation after memory allocation, and reallocation fail

#buffer-overflow#c-security#memory-safety+4 more
O
orbisai0security
May 28, 2026
medium7 min

Integer Overflow in Packet Reassembly: How One Missing Check Enables Heap Corruption

A critical heap buffer overflow vulnerability was discovered in the network packet reassembly function of `net_channel_ex.c`, where an attacker-controlled `bodylen` field could be used to corrupt heap memory without any bounds validation. The fix introduces a simple yet effective integer overflow check before accumulating packet body lengths, preventing malformed packets from triggering memory corruption. This type of vulnerability is a stark reminder that even low-level arithmetic operations in

#buffer-overflow#integer-overflow#network-security+4 more
O
orbisai0security
May 28, 2026
critical8 min

Critical Buffer Overflow in IPv6 Parsing: How a Wrong Array Size Could Crash Your App

A critical buffer overflow vulnerability was discovered in `uv-common.c`, where a hardcoded 40-byte buffer was used to store IPv6 addresses — 6 bytes too small for the maximum valid IPv6 string length of 46 characters. An attacker supplying a crafted, oversized IP address string could trigger a stack or heap buffer overflow, potentially leading to remote code execution or application crashes. The fix replaces the magic number with the platform-defined `INET6_ADDRSTRLEN` constant, ensuring the bu

#buffer-overflow#c-security#network-security+4 more
O
orbisai0security
May 28, 2026
high8 min

When Network Frames Attack: Fixing a Heap Buffer Overflow in lwIP's Hosted Driver

A critical heap buffer overflow vulnerability was discovered in the `lwip_hosted_rx_input` function of the lwIP hosted wireless driver, where raw network frames from an ESP-hosted interface were copied into packet buffers without validating the frame length against the buffer's maximum capacity. Because `pbuf_alloc` uses an unsigned 16-bit integer for size, an attacker on the same wireless network could craft a packet with an oversized length field, causing silent integer truncation and subseque

#buffer-overflow#embedded-security#lwip+4 more
O
orbisai0security
May 28, 2026