STM-PLC bug2

Forum|Forum|5 years ago
June 30, 2020
0 replies
718 views

URL:

https://www.st.com/content/st_com/en/products/embedded-software/mcu-mpu-embedded-software/stm32-embedded-software/stm32-ode-function-pack-sw/fp-ind-plcwifi1.html

Type:

Buffer overflow

Description:

The global variable rung_pos is initialized to zero when the program starts. If no changes are made to it, accessing the global array output with index rung_pos - 1 which equals -1 as shown in line 387 of Ladder_Lib.c will lead to a buffer overflow.

92

uint8_t rung_pos=0;

236

int16_t WiFi_Decode (uint8_t* frame)

237

{

...

387

memset(&output[rung_pos-1],0,EXPRESSION_MAX_SIZE);

...

429

}

Result: Memory corruption

This topic has been closed for replies.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded