Espressif ESP-IDF Bluetooth AVRCP Stack Out-of-Bounds Write Vulnerability

A vulnerability allowing for an out-of-bounds write has been identified in the Espressif Internet of Things Development Framework (ESP-IDF) Bluetooth stack, specifically within the Audio/Video Remote Control Profile (AVRCP) handling. This issue is present in versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier. The vulnerability arises in the 'avrc_vendor_msg()' function, where the buffer size for vendor commands was incorrectly validated. The previous minimum command length of 20 bytes was insufficient, as the actual header data can exceed this, leading to potential memory corruption, crashes, or undefined behavior, especially when assertions are disabled.

Impact

Exploitation of this vulnerability can cause memory corruption, application crashes, or other undefined behaviors. The out-of-bounds write could be more severe when assertions are disabled, potentially allowing for greater memory corruption.

Reproduction

The vulnerability can be reproduced by sending a vendor command through the AVRCP interface that includes a 'vendor_len' value large enough to approach the buffer limit, exceeding the allocated memory based on the incorrect length validation. This can be done by manipulating the 'vendor_len' parameter in the 'tAVRC_MSG_VENDOR' structure, which is used in the 'avrc_vendor_msg()' function. The issue occurs because the buffer allocation does not account for the full size of the data being written, particularly when the 'vendor_len' is large.

Remediation

Users can update to Espressif ESP-IDF versions 5.5.2, 5.4.4, 5.3.5, or 5.2.7, all of which include the necessary fix. Instructions for updating can be found in the Espressif ESP-IDF documentation.