Full Disclosure mailing list archives

From: Ron E <ronaldjedgerson () gmail com> Date: Thu, 8 Jan 2026 10:17:43 -0500

A global buffer overflow vulnerability exists in the TinyOS printfUART
implementation used within the ZigBee / IEEE 802.15.4 networking stack. The
issue arises from an unsafe custom sprintf() routine that performs
unbounded string concatenation using strcat() into a fixed-size global
buffer. The global buffer debugbuf, defined with a size of 256 bytes, is
used as the destination for formatted output. When a %s format specifier is
supplied with a string longer than the available buffer space, the
implementation appends the string without any bounds checking, resulting in
a write beyond the end of the global buffer. This condition allows memory
corruption and can lead to denial-of-service, unintended behavior, or
information disclosure. The vulnerability is deterministic and independent
of the hardware platform.

*Root Cause:*

The vulnerability occurs in the following code path:
#define DEBUGBUF_SIZE 256
char debugbuf[DEBUGBUF_SIZE];

case 's':
ptr = va_arg(ap, char *);
strcat(buf, ptr);   // no bounds checking

The printfUART() macro ultimately calls the custom sprintf() implementation
with debugbuf as the destination buffer. The use of strcat() without
validating the remaining capacity of debugbuf allows attacker-controlled
strings passed via %s to overflow the buffer.


*Impact:*

- Global memory corruption
- Denial of service (device crash)
- Information disclosure via UART output
- Undefined behavior affecting adjacent global state or interrupt-driven
execution

On typical TinyOS deployments (AVR / MSP430):

- No memory protection
- No stack canaries
- No ASLR

This significantly increases the severity of memory corruption.

*Proof of Concept:*

The issue was validated using AddressSanitizer, which reported a
global-buffer-overflow during execution:

./printUART



*Output:*
=================================================================
==492203==ERROR: AddressSanitizer: global-buffer-overflow on address
0xaaaaea1774a0 at pc 0xaaaae972eee4 bp 0xfffff642d3a0 sp 0xfffff642cb90
WRITE of size 1024 at 0xaaaaea1774a0 thread T0
#0 0xaaaae972eee0 in strcat (/root/tinyos-main/printfuart+0xbeee0)
(BuildId: b934c9b9563afd45c9ae2cf4ccdfab5bf9a33826)
#1 0xaaaae978d024 in sprintf
/tinyos-main/tos/lib/net/zigbee/ieee802154/includes/printfUART.h:266:13
#2 0xaaaae978e1b8 in main /root/tinyos-main/printfuart.c:47:5
#3 0xffffac4a2598 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#4 0xffffac4a2678 in __libc_start_main csu/../csu/libc-start.c:360:3
#5 0xaaaae96a592c in _start (/root/tinyos-main/printfuart+0x3592c)
(BuildId: b934c9b9563afd45c9ae2cf4ccdfab5bf9a33826)

0xaaaaea1774a0 is located 0 bytes after global variable 'debugbuf' defined
in '/tinyos-main/tos/lib/net/zigbee/ieee802154/includes/printfUART.h:81'
(0xaaaaea1773a0) of size 256
SUMMARY: AddressSanitizer: global-buffer-overflow
(/root/tinyos-main/printfuart+0xbeee0) (BuildId:
b934c9b9563afd45c9ae2cf4ccdfab5bf9a33826) in strcat
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• TinyOS 2.1.2 printfUART Global Buffer Overflow via Unbounded Format Expansion Ron E (Jan 10)