BF Specification of CVE-2019-14814

Missing verification of 'rate_ie->len' towards a upper limit leads to use of an inconsistent size for an object, allowing a pointer reposition over its bounds, which, when used in 'memcpy()' leads to a heap buffer overflow. If exploited, this can lead to denial of service – system crash; and possibly arbitrary code execution.



Bug ReportCode with BugCode with FixNVD Entry
DVRData are verified (semantics check) or corrected (assign, remove) improperly.
MADThe pointer to an object is initialized, repositioned, or reassigned to an improper memory address.
MUSAn object is initialized, read, written, or cleared improperly.
VerifyCheck data semantics (proper value/meaning) in order to accept (and possibly correct) or reject it.
RepositionChange the pointer to another position inside its object.
WriteChange the data value of an object to another meaningful value.
Code Defect BugThe operation has a bug, which is the first cause for the chain of weaknesses underlying a software security vulnerability. The bug must be fixed to resolve the vulnerability.
   Missing CodeThe entire operation implementation or a part of its specification is absent.
Data Error/FaultThe object data has harmed semantics or inconsistent or wrong value
   Inconsistent ValueData value does not correspond to the value of a related data (e.g., inconstancy between the value of a size variable and the actual buffer size).
   Wrong SizeThe value used as size does not match the actual size of the object.
Address Error/FaultThe object address in use is wrong.
   Over Bounds PointerPoints above the upper boundary of its object.
Memory Corruption/Disclosure Final ErrorAn exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Buffer OverflowWrites above the upper bound of an object -- aka Buffer Over-Write.
Operation AttributeDefinition
MechanismShows how the buggy/faulty operation code is performed.
   RangeChecking data are within a (min, max) interval.
   SequentialThe operation is performed after iterating over the object elements.
Source CodeShows where the buggy/faulty operation code is in the program -- in what kind of software.
   CodebaseThe operation is in the programmer's code - in the application itself.
Execution SpaceShows where the buggy/faulty operation code is running or with what privilege level).
   AdminThe bugged code runs in an environment with access control policy with unlimited (admin user) permission.
   KernelThe bugged code runs in an environment with privilege levels with access privileged instructions (e.g., ring 0 in x86 architecture).
Operand AttributeDefinition
Data StateShows where the data come from.
   In UseThe data are from a volatile storage (e.g., RAM, cache memory).
Address StateShows where the address is in the memory layout.
   HeapThe object is a dynamically allocated data structure (e.g., via malloc() and new).
Size KindShows what the limit for traversal of the object is.
   UsedA supplied size for an object.