Description of the issue
The AWS OTA MQTT incoming data callback in the Silicon Labs DIC example contains an unchecked copy of network-controlled payload data into a fixed-size stack buffer.
In dic_aws_ota_mqtt_incoming_data_cb at dic.cpp, the code allocates u8_t buff[1500] and then performs memcpy(buff, data, len) without validating that len is less than or equal to 1500. Because len is provided by the MQTT incoming data callback, it is derived from network input. An oversized MQTT payload can therefore overflow the stack buffer, causing a crash and potentially enabling code execution depending on target protections and memory layout.
The same callback also calls strlen(topic) even though the callback interface already provides topic_len and does not guarantee that topic is NUL-terminated. This introduces an additional out-of-bounds read risk when logging the topic length.
I validated the overflow with a standalone AddressSanitizer PoC that reproduces the callback logic and passes a 2000-byte heap-backed payload. The PoC triggers a stack-buffer-overflow in memcpy, confirming that the overflow is reachable when the callback receives oversized MQTT data.
A safe fix is to remove the fixed-size stack copy and pass the original data buffer through to the subscriber callback, and to stop calling strlen(topic) in favor of the provided topic_len.
Steps to reproduce the issue
PoC
dic_aws_ota_mqtt_overflow_poc.zip
Device type(s) and network topology
N/A
Proposed solution(s)
No response
SMG version
release_2.3.1-1.3
Protocol(s)
Thread
Hardware platform(s)
Not applicable
Development platform(s)
No response
Captured data or logs
alex@Alexs-Mac-mini dic_aws_ota_mqtt_overflow_poc % ./dic_cb_poc
dic_cb_poc(53037,0x1fd802140) malloc: nano zone abandoned due to inability to reserve vm space.
=================================================================
==53037==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016ae7acdc at pc 0x000105863108 bp 0x00016ae7a6d0 sp 0x00016ae79e80
WRITE of size 2000 at 0x00016ae7acdc thread T0
#0 0x000105863104 in __asan_memcpy+0x330 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3b104)
#1 0x000104f84c94 in dic_aws_ota_mqtt_incoming_data_cb dic_cb_poc.c:26
#2 0x000104f84a30 in main dic_cb_poc.c:43
#3 0x00018f506b94 (<unknown module>)
Address 0x00016ae7acdc is located in stack of thread T0 at offset 1532 in frame
#0 0x000104f84b1c in dic_aws_ota_mqtt_incoming_data_cb dic_cb_poc.c:22
This frame has 1 object(s):
[32, 1532) 'buff' (line 25) <== Memory access at offset 1532 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow dic_cb_poc.c:26 in dic_aws_ota_mqtt_incoming_data_cb
Shadow bytes around the buggy address:
0x00016ae7aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00016ae7aa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00016ae7ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00016ae7ab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00016ae7ac00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00016ae7ac80: 00 00 00 00 00 00 00 00 00 00 00[04]f3 f3 f3 f3
0x00016ae7ad00: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
0x00016ae7ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00016ae7ae00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 04 f3
0x00016ae7ae80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00016ae7af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==53037==ABORTING
zsh: abort ./dic_cb_poc
Description of the issue
The AWS OTA MQTT incoming data callback in the Silicon Labs DIC example contains an unchecked copy of network-controlled payload data into a fixed-size stack buffer.
In
dic_aws_ota_mqtt_incoming_data_cbat dic.cpp, the code allocatesu8_t buff[1500]and then performsmemcpy(buff, data, len)without validating thatlenis less than or equal to 1500. Becauselenis provided by the MQTT incoming data callback, it is derived from network input. An oversized MQTT payload can therefore overflow the stack buffer, causing a crash and potentially enabling code execution depending on target protections and memory layout.The same callback also calls
strlen(topic)even though the callback interface already providestopic_lenand does not guarantee thattopicis NUL-terminated. This introduces an additional out-of-bounds read risk when logging the topic length.I validated the overflow with a standalone AddressSanitizer PoC that reproduces the callback logic and passes a 2000-byte heap-backed payload. The PoC triggers a
stack-buffer-overflowinmemcpy, confirming that the overflow is reachable when the callback receives oversized MQTT data.A safe fix is to remove the fixed-size stack copy and pass the original
databuffer through to the subscriber callback, and to stop callingstrlen(topic)in favor of the providedtopic_len.Steps to reproduce the issue
PoC
dic_aws_ota_mqtt_overflow_poc.zip
Device type(s) and network topology
N/A
Proposed solution(s)
No response
SMG version
release_2.3.1-1.3
Protocol(s)
Thread
Hardware platform(s)
Not applicable
Development platform(s)
No response
Captured data or logs