URL:
https://www.st.com/content/st_com/en/products/embedded-software/mcu-mpu-embedded-software/stm32-embedded-software/stm32-ode-function-pack-sw/fp-ind-plcwifi1.html
Type:
Buffer overflow
Description:
The variable index_c, which equals comp_param[1]-1 as shown in line 486 of Ladder_Lib.c, is used as the index to access the global array counter_up and num_obj as shown in line from 487 to 493 of Ladder_Lib.c which may lead to a buffer overflow and unexpected branch jump.
66
#define MAX_COMPONENT_NUMBER 50
...
97
uint16_t num_obj[MAX_COMPONENT_NUMBER];
...
127
CounterStruct_Typedef counter_up[MAX_COMPONENT_NUMBER];
...
435
int8_t Component_parser(void)
436
{
...
486
index_c=comp_param[1]-1;
487
counter_up[index_c].CNT_number=comp_param[1];
488
counter_up[index_c].CNT_val=comp_param[2];
489
counter_up[index_c].CNT_dir=comp_param[3];
490
counter_up[index_c].CNT_output=Component[component_index+1];
492
if(counter_up[index_c].CNT_dir==0)
493
num_obj[index_c]=counter_up[index_c].CNT_val;
Result: Memory corruption and control flow hijacking.
