Title | tenda AC6 V15.03.05.16 Buffer Overflow |
---|
Description | Tenda AC6 Vx.x.x.x firmware is vulnerable to Buffer Overflow via function "GetParentControlInfo"
Firmware download website:
https://www.tenda.com.cn/material/show/102661
In this code, strcpy is used to copy the string pointed to by src to the memory area pointed to by s at offset 2. The problems are as follows:
The target buffer size is unclear: s is allocated 0x254 bytes of memory (596 bytes), but strcpy does not check the size of the target buffer and directly copies the contents of src to the s + 2 position. If the length of the src string exceeds the memory space available after the s + 2 position, strcpy will cause a buffer overflow.
The size of src is not verified: src is obtained from sub_2B7C4(a1, "mac", &unk_EA0EC), and it is not ensured that the string does not exceed the size of the memory space after the s + 2 offset. If the length of src is too long and exceeds the memory range allocated by s, strcpy will write to the out-of-bounds memory area, causing an overflow. |
---|
Source | ⚠️ https://github.com/wy876/cve/issues/5 |
---|
User | WY596 (UID 79884) |
---|
Submission | 01/08/2025 07:34 AM (1 month ago) |
---|
Moderation | 01/08/2025 09:41 PM (14 hours later) |
---|
Status | Accepted |
---|
VulDB Entry | 290862 [Tenda AC6 15.03.05.16 GetParentControlInfo src stack-based overflow] |
---|
Points | 20 |
---|