Summary

In parse_recv_state in subsys/bluetooth/audio/bap_broadcast_assistant.c, the recv_state->num_subgroups in not verified, leading to stack overflow in subsequent for loop.

Details

The function parse_recv_state is invoked from read_recv_state_cb, and its third parameter, recv_state, is defined as a local stack variable within read_recv_state_cb.

In parse_recv_state, the number of subgroups is determined by user input through the following line of code:

recv_state->num_subgroups = net_buf_simple_pull_u8(&buf);

This value is not validated and is directly used as the upper limit in a subsequent for loop. During the loop's execution, the subgroup can eventually exceed the bounds of the recv_state array, causing a stack overflow.

for (int i = 0; i < recv_state->num_subgroups; i++) {
	struct bt_bap_bass_subgroup *subgroup = &recv_state->subgroups[i];

The maximum number of subgroups should be restricted to a predefined configuration value, ensuring that user input does not exceed CONFIG_BT_BAP_BASS_MAX_SUBGROUPS.

struct bt_bap_bass_subgroup subgroups[CONFIG_BT_BAP_BASS_MAX_SUBGROUPS];

Impact

Result of exploitation could lead to instability (i.e., crash) or denial of service attacks.

Patches

main: #74062
v3.6: #77966

For more information

If you have any questions or comments about this advisory:

• Open an issue in zephyr
• Email us at Zephyr-vulnerabilities

embargo: 2024-09-10

Credits

@ekleezg