cancel
Showing results for 
Search instead for 
Did you mean: 

STM-PLC bug6

SDawn.1
Associate II

URL:

https://www.st.com/content/st_com/en/products/embedded-software/mcu-mpu-embedded-software/stm32-embedded-software/stm32-ode-function-pack-sw/fp-ind-plcwifi1.html

Type: 

Buffer overflow

Description:

In the function Evalute_Expression, the local variable output_pos is derived from the variable argument as shown in line 569 of Ladder_Lib.c, which equals output[output_index].Expression[index++] as shown in line 536 of Ladder_Lib.c. When used as an index to access the global array output as shown in line 570 of Ladder_Lib.c, no availability check will lead to a buffer overflow and the program may jump to an unexpected branch.

56

#define MAX_OUTPUT_NUMBER               30

...

124

OutputStructure_Typedef         output[MAX_OUTPUT_NUMBER];

...

522

uint8_t Evalute_Expression(uint8_t output_index)

523

{

536

while((argument=output[output_index].Expression[index++])!=0)

...

569

uint8_t output_pos=(argument&0x1F)-1;

570

if(output[output_pos].output_value!=-1)

...

780

}

Result: Control flow hijacking

0 REPLIES 0