cancel
Showing results for 
Search instead for 
Did you mean: 

STM-PLC bug7

SDawn.1
Associate II

URL:

https://www.st.com/content/st_com/en/products/embedded-software/mcu-mpu-embedded-software/stm32-embedded-software/stm32-ode-function-pack-sw/fp-ind-plcwifi1.html

Type: 

Buffer overflow

Description:

The variable index_c, which equals comp_param[1]-1 as shown in line 486 of Ladder_Lib.c, is used as the index to access the global array counter_up and num_obj as shown in line from 487 to 493 of Ladder_Lib.c which may lead to a buffer overflow and unexpected branch jump. 

66

#define MAX_COMPONENT_NUMBER             50

...

97

uint16_t num_obj[MAX_COMPONENT_NUMBER];

...

127

CounterStruct_Typedef           counter_up[MAX_COMPONENT_NUMBER];

...

435

int8_t Component_parser(void)

436

{

...

486

index_c=comp_param[1]-1;

487

counter_up[index_c].CNT_number=comp_param[1];

488

counter_up[index_c].CNT_val=comp_param[2];

489

counter_up[index_c].CNT_dir=comp_param[3];

490

counter_up[index_c].CNT_output=Component[component_index+1];

492

if(counter_up[index_c].CNT_dir==0)

493

num_obj[index_c]=counter_up[index_c].CNT_val;

Result: Memory corruption and control flow hijacking.

0 REPLIES 0