URL:
https://www.st.com/content/st_com/en/products/embedded-software/mcu-mpu-embedded-software/stm32-embedded-software/stm32-ode-function-pack-sw/fp-ind-plcwifi1.html
Type:
Buffer overflow
Description:
The global variable component_index is initialized to zero when the program starts. If no changes are made to it or changing to 1, accessing the global array Component with index component_index-1 as shown in line 265 of Ladder_Lib.c or component_index-2 as shown in line 267 of Ladder_Lib.c will lead to a buffer overflow and the program may jump to unexpected branch.
102
uint16_t component_index=0;
236
int16_t WiFi_Decode (uint8_t* frame)
237
{
...
265
if(((Component[0]=='T')||(Component[0]=='C'))&&Component[component_index-1]!=')')
266
{
267
if(Component[component_index-2]!=')')
...
429
}
Result: Control flow hijacking
