| Title | Linux OpENer (Open EtherNet/IP Stack) lastet Use After Free |
|---|
| Description | In the current master branch of OpENer, a stack‑use‑after‑return vulnerability exists in the TCP explicit‑message (SendRRData) processing path. The function `HandleDataOnTcpSocket()` stores the received EtherNet/IP packet into a local stack buffer (`incoming_message`). This buffer is then passed as a raw pointer through multiple layers: encapsulation parsing, CPF (Common Packet Format) parsing, and message routing. The CPF layer stores the pointer to the CIP payload (`data_item.data`) without copying the data to a separately managed storage area. Later, when the original stack frame has returned, the message router function `CreateMessageRouterRequestStructure()` dereferences this pointer (e.g., `*data`) to read the service byte. Because the stack memory has been reclaimed (the function `HandleDataOnTcpSocket()` has already returned when the socket event loop continues), this access causes an invalid memory read. AddressSanitizer reports the issue as `stack-use-after-return`, and the server crashes (denial of service). The vulnerability can be triggered remotely using a crafted `SendRRData` request and has been reproduced on the POSIX server build. |
|---|
| Source | ⚠️ https://github.com/EIPStackGroup/OpENer/issues/566 |
|---|
| User | QvuQ_lkx (UID 98260) |
|---|
| Submission | 05/15/2026 15:04 (2 months ago) |
|---|
| Moderation | 06/02/2026 19:42 (18 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 368016 [EIPStackGroup OpENer up to 2.3.0 SendRRData cipmessagerouter.c CreateMessageRouterRequestStructure use after free] |
|---|
| Points | 20 |
|---|