URL:
https://www.st.com/content/st_com/en/products/embedded-software/mcu-mpu-embedded-software/stm32-embedded-software/stm32-ode-function-pack-sw/fp-ind-plcwifi1.html
Type:
Buffer overflow
Description:
The variable decoded_index is used to mark the decoded byte in the parameter frame. When the first frame byte decode is an ASCII number 0-9, decoded_index will increase to one as shown in line 270 of Ladder_Lib.c. However, if the next frame byte is equal to ‘=’, decoded_index will decrease to zero as shown in line 344 of Ladder_Lib.c. Accessing the global array ServerData_RX with index decoded_index - 1, as shown in line 345 of Ladder_Lib.c, will lead to overflow which will lead the program to jump to an unexpected branch.
236
int16_t WiFi_Decode (uint8_t* frame)
237
{
...
247
decoded_index = 0;
...
250
do{
252
decode=frame[dec_index++];
253
switch (decode)
254
{
...
264
case '9':
...
270
ServerData_RX[decoded_index++]= (decode - 0x30);
...
340
case '=':
341
if ((decoded_index > 0 )&&(ServerData_RX[decoded_index-1]<=9)&&
342
(ServerData_RX[decoded_index-1] >=0))
343
{
344
decoded_index--;
345
if((ServerData_RX[decoded_index-1]>0)&&(ServerData_RX[decoded_index-1] <=9))
...
429
}
Result: Control flow hijacking
