Impact

In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning, because there lacks a check for mismatched SegN and TotalLength in Transaction Start PDU.

In gen_prov_start, there lacks a check for mismatched SegN and TotalLength. For example, TotalLength 65 with SegN 62 in Transaction Start PDU is considered as valid (infact, if TotalLength is 65, SegN should be only 2). SegN 62 will be set into link.rx.last_seg.

By sending malformed Transaction Start PDU with legal TotalLength and oversize SegN, the check for SegO and SegN in Transaction Continue PDU can be bypassed.

In consequence, sending a Transaction Continue PDU with actually oversized (i.e., larger than 2, corresponding to the size of rx_buf) SegO will trigger out-of-bound write. That is, if SegO > 2, then 20 + (SegO - 1)×23 + 23 > 65,

where 20 + (SegO - 1)×23 is the offset.

Patches

This has been fixed in:

main: #45136
v3.0: #45188
v2.7: #45187

Credits

Han Yan(闫晗),Lewei Qu(曲乐炜),Dongxiang Ke(柯懂湘) of Baidu AIoT Security Team

For more information

If you have any questions or comments about this advisory:

• Open an issue in zephyr
• Email us at Zephyr-vulnerabilities

embargo: 2022-06-19