Hello - Yes; I am pretty sure it is some type of overflow (either buffer or heap).
I have tested this personally on a 3g nano - but from what people are telling me it also works on 5g and all nanos capable of viewing notes in the extras area. Concerning the code: Since the newer firmwares are encrypted - we might need to take a look at the earlier firmwares like 5g since we know it happens there. Like I said - I tried to look at the code of the 5g and it makes my brain hurt ;) I'm guessing it either occurs in strcpy() or malloc(). Here is what I know for sure right now: We are investigating a vulnerability(possibly a buffer overflow) in the ipod that MIGHT be able to run unsigned code. It occurs in a text doc in the notes area when you have a link longer than 268 bytes. At this point we have been supplied with the following info: 1.) You need the whole link including the "</a>" at the end for the ipod/HTML parser to read it as a valid link. 2.)You need 268 bytes in the <a href"----268 bytes here"> for it to crash 3.) We can safely assume that Apple is using strcpy() since the ipod stops parsing the link after NULL 0x00 That's all I know so far :) Cheers! Taylor _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
