| Title | tenda AC6 V15.03.05.16 Buffer Overflow |
|---|
| Description | Tenda AC6 V15.03.05.16 firmware is vulnerable to Buffer Overflow via function "GetParentControlInfo"
Firmware download website:
https://www.tenda.com.cn/material/show/102661
In this code, strcpy is used to copy the string pointed to by src to the memory area pointed to by s at offset 2. The problems are as follows:
The target buffer size is unclear: s is allocated 0x254 bytes of memory (596 bytes), but strcpy does not check the size of the target buffer and directly copies the contents of src to the s + 2 position. If the length of the src string exceeds the memory space available after the s + 2 position, strcpy will cause a buffer overflow.
The size of src is not verified: src is obtained from sub_2B7C4(a1, "mac", &unk_EA0EC), and it is not ensured that the string does not exceed the size of the memory space after the s + 2 offset. If the length of src is too long and exceeds the memory range allocated by s, strcpy will write to the out-of-bounds memory area, causing an overflow. |
|---|
| Source | ⚠️ https://github.com/wy876/cve/issues/5 |
|---|
| User | WY596 (UID 79884) |
|---|
| Submission | 01/08/2025 07:34 (1 Year ago) |
|---|
| Moderation | 01/08/2025 21:41 (14 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 290862 [Tenda AC6 15.03.05.16 GetParentControlInfo src/mac stack-based overflow] |
|---|
| Points | 20 |
|---|