| Título | Linux OpENer (Open EtherNet/IP Stack) lastet Use After Free |
|---|
| Descripción | In the current master branch of OpENer, a stack‑use‑after‑return vulnerability exists in the TCP explicit‑message (SendRRData) processing path. The function `HandleDataOnTcpSocket()` stores the received EtherNet/IP packet into a local stack buffer (`incoming_message`). This buffer is then passed as a raw pointer through multiple layers: encapsulation parsing, CPF (Common Packet Format) parsing, and message routing. The CPF layer stores the pointer to the CIP payload (`data_item.data`) without copying the data to a separately managed storage area. Later, when the original stack frame has returned, the message router function `CreateMessageRouterRequestStructure()` dereferences this pointer (e.g., `*data`) to read the service byte. Because the stack memory has been reclaimed (the function `HandleDataOnTcpSocket()` has already returned when the socket event loop continues), this access causes an invalid memory read. AddressSanitizer reports the issue as `stack-use-after-return`, and the server crashes (denial of service). The vulnerability can be triggered remotely using a crafted `SendRRData` request and has been reproduced on the POSIX server build. |
|---|
| Fuente | ⚠️ https://github.com/EIPStackGroup/OpENer/issues/566 |
|---|
| Usuario | QvuQ_lkx (UID 98260) |
|---|
| Sumisión | 2026-05-15 15:04 (hace 20 días) |
|---|
| Moderación | 2026-06-02 19:42 (18 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 368016 [EIPStackGroup OpENer hasta 2.3.0 SendRRData cipmessagerouter.c CreateMessageRouterRequestStructure desbordamiento de búfer] |
|---|
| Puntos | 20 |
|---|