URL:
https://www.st.com/content/st_com/en/products/embedded-software/mcu-mpu-embedded-software/stm32-embedded-software/stm32-ode-function-pack-sw/fp-ind-plcwifi1.html
Type:
Buffer overflow
Description:
In the function Evalute_Expression, the local variable output_pos is derived from the variable argument as shown in line 569 of Ladder_Lib.c, which equals output[output_index].Expression[index++] as shown in line 536 of Ladder_Lib.c. When used as an index to access the global array output as shown in line 570 of Ladder_Lib.c, no availability check will lead to a buffer overflow and the program may jump to an unexpected branch.
56
#define MAX_OUTPUT_NUMBER 30
...
124
OutputStructure_Typedef output[MAX_OUTPUT_NUMBER];
...
522
uint8_t Evalute_Expression(uint8_t output_index)
523
{
536
while((argument=output[output_index].Expression[index++])!=0)
...
569
uint8_t output_pos=(argument&0x1F)-1;
570
if(output[output_pos].output_value!=-1)
...
780
}
Result: Control flow hijacking
