3DS System Flaws: Difference between revisions
| Line 754: | Line 754: | ||
! Timeframe this was added to wiki | ! Timeframe this was added to wiki | ||
! Discovered by | ! Discovered by | ||
|- | |||
| [[MP:SendDataFrame]] missing input array index validation | |||
| [[MP:SendDataFrame]] doesn't validate the input index at cmdreq[1], unless the function for flag=non-zero is executed. This is used to calculate the following, without validating the index at all: someptr = stateptr + (index*0x924) + somestateoffset. | |||
After validating some flags from someptr, when input_flag=0 the input buffer data is copied to someptr+someotheroffset+0x14 with the u16 size loaded from someptr+someotheroffset. | |||
With a large input index someptr could be setup to be at a <target address>, for overwriting memory. | |||
This is probably difficult to exploit. | |||
| | |||
| None | |||
| [[8.0.0-18]](MP-sysmodule v2048) | |||
| January 22, 2017 | |||
| January 22, 2017 | |||
| [[User:Yellows8|Yellows8]] | |||
|- | |- | ||
| [[MP_Services|MP]] cmd1 out-of-bounds handle read | | [[MP_Services|MP]] cmd1 out-of-bounds handle read | ||