Attachments (0)
Nordic Case Info
  • Case ID: 248646
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

[Zigbee] Security: memory overwrite issues

happy_nordic_user

Hello.

It is possible to overwrite the contents of the memory using a 32-character string permitted by the standard for mf_name and model_id fields from zb_zcl_basic_attrs_ext_t struct located in /external/zboss/addons/zcl/zb_zcl_basic_addons.h header file of Zigbee SDK 4.0.0
Fullscreen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/** @brief Basic cluster attributes according to ZCL Spec 3.2.2.2 */
typedef struct
{
zb_uint8_t zcl_version;
zb_uint8_t app_version;
zb_uint8_t stack_version;
zb_uint8_t hw_version;
zb_char_t mf_name[32];
zb_char_t model_id[32];
zb_char_t date_code[16];
zb_uint8_t power_source;
zb_char_t location_id[15];
zb_uint8_t ph_env;
zb_char_t sw_ver[17];
} zb_zcl_basic_attrs_ext_t;
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
It is required to allocate 1 byte more in memory than necessary to place the information about the length of the character string in the first byte.
An example of writing 32-char string "0123456789abcdef0123456789abcdef" using ZB_ZCL_SET_STRING_VAL macro:
Also, the size of the location_id field should be sufficient to store a character string 16 bytes long (3.2.2.2.16, ZCL 7), but its length is defined as 15 (should be 17 to store 1-byte string length and 16-byte string data)
Terms of service