CVE-2022-39274

LoRaMac-node is a reference implementation and documentation of a LoRa network node. Versions of LoRaMac-node prior to 4.7.0 are vulnerable to a buffer overflow. Improper size validation of the incoming radio frames can lead to an 65280-byte out-of-bounds write. The function `ProcessRadioRxDone` implicitly expects incoming radio frames to have at least a payload of one byte or more. An empty payload leads to a 1-byte out-of-bounds read of user controlled content when the payload buffer is reused. This allows an attacker to craft a FRAME_TYPE_PROPRIETARY frame with size -1 which results in an 65280-byte out-of-bounds memcopy likely with partially controlled attacker data. Corrupting a large part if the data section is likely to cause a DoS. If the large out-of-bounds write does not immediately crash the attacker may gain control over the execution due to now controlling large parts of the data section. Users are advised to upgrade either by updating their package or by manually applying the patch commit `e851b079`.

LoRaMac-node is a reference implementation and documentation of a LoRa network node. Versions of LoRaMac-node prior to 4.7.0 are vulnerable to a buffer overflow. Improper size validation of the incoming radio frames can lead to an 65280-byte out-of-bounds write. The function `ProcessRadioRxDone` implicitly expects incoming radio frames to have at least a payload of one byte or more. An empty payload leads to a 1-byte out-of-bounds read of user controlled content when the payload buffer is reused. This allows an attacker to craft a FRAME_TYPE_PROPRIETARY frame with size -1 which results in an 65280-byte out-of-bounds memcopy likely with partially controlled attacker data. Corrupting a large part if the data section is likely to cause a DoS. If the large out-of-bounds write does not immediately crash the attacker may gain control over the execution due to now controlling large parts of the data section. Users are advised to upgrade either by updating their package or by manually applying the patch commit `e851b079`.

LoRaMac-node es una implementación de referencia y documentación de un nodo de red LoRa. Las versiones de LoRaMac-node anteriores a 4.7.0 son vulnerables a un desbordamiento del búfer. Una comprobación inapropiada del tamaño de las tramas de radio entrantes puede conllevar a una escritura de 65280 bytes fuera de límites. La función "ProcessRadioRxDone" espera implícitamente que las tramas de radio entrantes tengan al menos una carga útil de un byte o más. Una carga útil vacía conlleva una lectura de 1 byte fuera de límites del contenido controlado por el usuario cuando es reusado el búfer de carga útil. Esto permite a un atacante diseñar una trama FRAME_TYPE_PROPRIETARY de tamaño -1, lo que resulta en una copia de memoria de 65280 bytes fuera de límites, probablemente con datos parcialmente controlados por el atacante. Corromper una gran parte de la sección de datos puede causar un DoS. Si la gran escritura fuera de límites no es bloqueada inmediatamente, el atacante puede conseguir el control de la ejecución debido a que ahora controla grandes partes de la sección de datos. Es recomendado a usuarios actualizar su paquete o que apliquen manualmente el parche commit "e851b079"