3DS System Flaws: Difference between revisions
| Line 611: | Line 611: | ||
! Timeframe this was added to wiki | ! Timeframe this was added to wiki | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[DLP_Services|DLP]]: Out-of-bounds memory access during spectator [[Download_Play|data-frame]] checksum calculation | |||
| DLP doesn't validate the frame_size when receiving spectator data-frames at all, unlike non-spectator data-frames. The actual spectator data-frame parsing code doesn't use that field either. However, the data-frame checksum calculation code called during checksum verification does use the frame_size for loading the size of the framebuf. | |||
Hence, using a large frame_size like 0xFFFF will result in the checksum calculation code reading data out-of-bounds. This isn't really useful, you could trigger a remote local-WLAN DLP-sysmodule crash while a 3DS system is scanning for DLP networks(due to accessing unmapped memory), but that's about all(trying to infoleak with this likely isn't useful either). | |||
| | |||
| None | |||
| [[10.0.0-27|10.0.0-X]] | |||
| April 8, 2016 (Tested on the 10th) | |||
| April 10, 2016 | |||
| [[User:Yellows8|Yellows8]] | |||
|- | |- | ||
| [[IR_Services|IR]]: Stack buffer overflow with custom hardware | | [[IR_Services|IR]]: Stack buffer overflow with custom hardware | ||