Out-of-Bounds reads on TM/TC/AOS Frames
Donnie-Ice opened this issue · 0 comments
Donnie-Ice commented
It is possible to get a seg fault by first passing an invalid index to sa_if->sa_get_from_spi(spi, &sa_ptr)
, then dereferencing the pointer in the // Determine SA Service Type
code blocks in crypto_aos.c
, crypto_tc.c
, and crypto_tm.c
.
To fix this, check if the SPI is within the SA array length before retrieving the SA pointer in get_sa_from_spi()