Sukchan Lee
048a74005b
[SEC] Heap overflow in parse PLMN-ID ( #3154 )
...
An assert shall be triggered if sepp_node is corrupted.
```
pwndbg> p *sepp_node
$5 = {
lnode = {
prev = 0x0,
next = 0xaaaac920c638
},
receiver = 0xaaaac9230990 "sepp2.localdomain",
negotiated_security_scheme = OpenAPI_security_capability_TLS,
target_apiroot_supported = true,
plmn_id = {{
mcc1 = 6 '\006',
mcc2 = 6 '\006',
mcc3 = 6 '\006',
mnc1 = 6 '\006',
mnc2 = 6 '\006',
mnc3 = 6 '\006'
} <repeats 12 times>},
num_of_plmn_id = 6710887,
target_plmn_id_presence = false,
target_plmn_id = {
mcc1 = 0 '\000',
mcc2 = 0 '\000',
mcc3 = 0 '\000',
mnc1 = 0 '\000',
mnc2 = 0 '\000',
mnc3 = 0 '\000'
},
supported_features = 1,
sm = {
init = 0xaaaaada181fc <sepp_handshake_state_initial>,
fini = 0xaaaaada18390 <sepp_handshake_state_final>,
state = 0xaaaaada194b4 <sepp_handshake_state_established>
},
t_establish_interval = 0xffffa7d6c4e0,
client = 0xaaaac91af010,
n32f = {
client = 0xaaaac91af090
}
}
pwndbg> p/x sepp_node.num_of_plmn_id
$6 = 0x666667
```
2024-04-30 22:10:45 +09:00