A vulnerability (CVE-2-2021) has been identified in Toxcore, the reference implementation of the Tox P44847P messaging protocol, that could potentially trigger code execution when processing a specially crafted UDP packet. The vulnerability affects all users of Toxcore-based applications that do not have UDP transport disabled. To attack, it is enough to send a UDP packet knowing the IP address, network port, and public DHT key of the victim (this information is publicly available in DHT, i.e. the attack could have been made on any user or DHT host).
The issue appeared in toxcore releases 0.1.9 through 0.2.12 and was fixed in version 0.2.13. Of the client applications, only the qTox project has so far released an update with the elimination of the vulnerability. As a security workaround, you can disable the use of UDP while leaving TCP support.
The vulnerability is caused by a buffer overflow in the handle_request() function, which occurs due to incorrect calculation of the data size in the network packet. In particular, the length of the encrypted data was determined in the macro CRYPTO_SIZE, defined as "1 + CRYPTO_PUBLIC_KEY_SIZE * 2 + CRYPTO_NONCE_SIZE", which was later used in the subtraction operation "length - CRYPTO_SIZE". Due to the lack of parentheses in the macro, instead of subtracting the sum of all values, subtraction 1 and addition of the remaining parts were performed. For example, instead of "length - (1 + 32 * 2 + 24)", the buffer size was calculated as "length - 1 + 32 * 2 + 24", which led to overwriting data on the stack that was outside the buffer boundary.
Source: opennet.ru