| عنوان | Linux OpENer (Open EtherNet/IP Stack) lastet Use After Free |
|---|
| الوصف | In the current master branch of OpENer, a stack‑use‑after‑return vulnerability exists in the TCP explicit‑message (SendRRData) processing path. The function `HandleDataOnTcpSocket()` stores the received EtherNet/IP packet into a local stack buffer (`incoming_message`). This buffer is then passed as a raw pointer through multiple layers: encapsulation parsing, CPF (Common Packet Format) parsing, and message routing. The CPF layer stores the pointer to the CIP payload (`data_item.data`) without copying the data to a separately managed storage area. Later, when the original stack frame has returned, the message router function `CreateMessageRouterRequestStructure()` dereferences this pointer (e.g., `*data`) to read the service byte. Because the stack memory has been reclaimed (the function `HandleDataOnTcpSocket()` has already returned when the socket event loop continues), this access causes an invalid memory read. AddressSanitizer reports the issue as `stack-use-after-return`, and the server crashes (denial of service). The vulnerability can be triggered remotely using a crafted `SendRRData` request and has been reproduced on the POSIX server build. |
|---|
| المصدر | ⚠️ https://github.com/EIPStackGroup/OpENer/issues/566 |
|---|
| المستخدم | QvuQ_lkx (UID 98260) |
|---|
| ارسال | 15/05/2026 03:04 PM (20 أيام منذ) |
|---|
| الاعتدال | 02/06/2026 07:42 PM (18 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 368016 [EIPStackGroup OpENer حتى 2.3.0 SendRRData cipmessagerouter.c CreateMessageRouterRequestStructure تلف الذاكرة] |
|---|
| النقاط | 20 |
|---|