dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:HZephyrproject Zephyr
OSZephyrproject≤ 4.3.0
Related vulnerabilities
Błąd adresowania GP w Zephyr RTOS na architekturze RISC-V
Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack
Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a network buffer.
A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le_read_buff...
usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.