| タイトル | Linux OpENer (Open EtherNet/IP Stack) lastet Use After Free |
|---|
| 説明 | In the current master branch of OpENer, a stack‑use‑after‑return vulnerability exists in the TCP explicit‑message (SendRRData) processing path. The function `HandleDataOnTcpSocket()` stores the received EtherNet/IP packet into a local stack buffer (`incoming_message`). This buffer is then passed as a raw pointer through multiple layers: encapsulation parsing, CPF (Common Packet Format) parsing, and message routing. The CPF layer stores the pointer to the CIP payload (`data_item.data`) without copying the data to a separately managed storage area. Later, when the original stack frame has returned, the message router function `CreateMessageRouterRequestStructure()` dereferences this pointer (e.g., `*data`) to read the service byte. Because the stack memory has been reclaimed (the function `HandleDataOnTcpSocket()` has already returned when the socket event loop continues), this access causes an invalid memory read. AddressSanitizer reports the issue as `stack-use-after-return`, and the server crashes (denial of service). The vulnerability can be triggered remotely using a crafted `SendRRData` request and has been reproduced on the POSIX server build. |
|---|
| ソース | ⚠️ https://github.com/EIPStackGroup/OpENer/issues/566 |
|---|
| ユーザー | QvuQ_lkx (UID 98260) |
|---|
| 送信 | 2026年05月15日 15:04 (20 日 ago) |
|---|
| モデレーション | 2026年06月02日 19:42 (18 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 368016 [EIPStackGroup OpENer 迄 2.3.0 SendRRData cipmessagerouter.c CreateMessageRouterRequestStructure メモリ破損] |
|---|
| ポイント | 20 |
|---|