Skip to content

Fix critical buffer overflow vulnerability in Bluetooth REPL#301

Merged
nightlyupdates merged 1 commit intobrilliantlabsAR:mainfrom
seuros:fix-bluetooth-buffer-overflow
Oct 5, 2025
Merged

Fix critical buffer overflow vulnerability in Bluetooth REPL#301
nightlyupdates merged 1 commit intobrilliantlabsAR:mainfrom
seuros:fix-bluetooth-buffer-overflow

Conversation

@seuros
Copy link
Copy Markdown
Contributor

@seuros seuros commented Aug 30, 2025
edited by nightlyupdates
Loading

Summary

This PR fixes a critical buffer overflow vulnerability in lua_write_to_repl() that could allow remote code execution via Bluetooth.

Vulnerability Details

  • File: source/application/luaport.c:40-50
  • Issue: No bounds checking on BLE data length
  • Buffer size: BLE_PREFERRED_MAX_MTU (247 bytes)
  • Parameter range: uint8_t length (0-255)
  • Overflow potential: 8 bytes (255 - 247)
  • Impact: Stack corruption → potential remote code execution

Root Cause

The function accepts a length parameter that can exceed the buffer size:

static volatile char repl_buffer[BLE_PREFERRED_MAX_MTU]; // 247 bytes
void lua_write_to_repl(uint8_t *buffer, uint8_t length) // length can be 0-255
{
    // No bounds checking - vulnerability!
    for (size_t buffer_index = 0; buffer_index < length; buffer_index++)
        repl_buffer[buffer_index] = buffer[buffer_index];
}

Fix Implementation

Added proper bounds checking following Nordic SDK security best practices:

if (length >= BLE_PREFERRED_MAX_MTU)
{
    length = BLE_PREFERRED_MAX_MTU - 1; // Reserve space for null terminator
}

Security Standards Compliance

  • Nordic SDK patterns: Follows official Nordic examples for buffer validation
  • OWASP guidelines: Implements input validation and bounds checking
  • CISA recommendations: Eliminates buffer overflow class defects
  • Industry standards: Prevents stack-based buffer overflows

Testing

  • Verified bounds checking prevents overflow with test vectors
  • Confirmed null termination safety maintained
  • No functional impact on normal operation
  • Firmware compiles and builds successfully

Risk Assessment

  • Before: Critical vulnerability - RCE via Bluetooth possible
  • After: Vulnerability eliminated - safe input handling
  • CVE: Pending assignment for responsible disclosure

References

This is a security-critical fix that should be prioritized for immediate inclusion.

Sorry hackers, you won't RCE my glasses. 🤓

@seuros
Fix buffer overflow in lua_write_to_repl()
3f6af80 
Add bounds checking to prevent overflow when length > BLE_PREFERRED_MAX_MTU
@siliconwitch
Copy link
Copy Markdown
Contributor

siliconwitch commented Sep 4, 2025

Good call! I don't think the vulnerability is immediately possible since lua_write_to_repl is only used in the Bluetooth callback (which is inherently limited to the MTU size anyway), but it's always good to have an explicit check.

@uma-shankar-TE @CitizenOneX possible to test and merge?

@CitizenOneX
Copy link
Copy Markdown
Contributor

CitizenOneX commented Sep 4, 2025

Thanks both - yes, already taking a look.

@seuros
Copy link
Copy Markdown
Contributor Author

seuros commented Oct 4, 2025

Any update in merging my prs, i have more.

@nightlyupdates nightlyupdates merged commit d309634 into brilliantlabsAR:main Oct 5, 2025
@nightlyupdates
Copy link
Copy Markdown
Collaborator

nightlyupdates commented Oct 5, 2025

Thanks i tested all looks ok

@seuros seuros deleted the fix-bluetooth-buffer-overflow branch October 5, 2025 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@seuros @siliconwitch @CitizenOneX @nightlyupdates