cancel
Showing results for 
Search instead for 
Did you mean: 

STM-PLC bug1

SDawn.1
Associate II

URL:

https://www.st.com/content/st_com/en/products/embedded-software/mcu-mpu-embedded-software/stm32-embedded-software/stm32-ode-function-pack-sw/fp-ind-plcwifi1.html

Type: 

Buffer overflow

Description:

The variable decoded_index is used to mark the decoded byte in the parameter frame. When the first frame byte decode is an ASCII number 0-9, decoded_index will increase to one as shown in line 270 of Ladder_Lib.c. However, if the next frame byte is equal to ‘=’, decoded_index will decrease to zero as shown in line 344 of Ladder_Lib.c. Accessing the global array ServerData_RX with index decoded_index - 1, as shown in line 345 of Ladder_Lib.c, will lead to overflow which will lead the program to jump to an unexpected branch.

236

int16_t WiFi_Decode (uint8_t* frame)

237

{

...

247

decoded_index = 0;

...

250

do{

252

decode=frame[dec_index++];

253

switch (decode)

254

{

...

264

case '9':

...

270

ServerData_RX[decoded_index++]= (decode - 0x30);

...

340

case '=':

341

if ((decoded_index > 0 )&&(ServerData_RX[decoded_index-1]<=9)&&

342

(ServerData_RX[decoded_index-1] >=0))

343

{

344

decoded_index--; 

345

if((ServerData_RX[decoded_index-1]>0)&&(ServerData_RX[decoded_index-1] <=9))

...

429

}

Result: Control flow hijacking

0 REPLIES 0