| Title | liftoff-sr CIPster master (reproduced on 1802525be27d33e19a9a83c163e331a1d13b1892) Out-of-bounds Read/Write |
|---|
| Description | CIPster master contains an API-enabled deployment reachable memory corruption issue in its generic attribute handling. In a deployment that exposes the same ByteBuf object header through both a writable/readable kCipByteArray attribute and a writable/readable kCipUdint attribute, a remote unauthenticated EtherNet/IP explicit-message client can first use SetAttributeSingle on the kCipUdint alias to overwrite the low 32 bits of ByteBuf.start while leaving ByteBuf.limit unchanged. This corrupts the shared ByteBuf metadata and expands the logical size seen by later generic handlers. A subsequent GetAttributeSingle on the kCipByteArray alias triggers an out-of-bounds read in the generic EncodeData -> BufWriter::append -> memcpy path, while a subsequent SetAttributeSingle on the same kCipByteArray alias triggers an out-of-bounds write in the generic DecodeData -> BufWriter::append -> memcpy path. The crash occurs inside CIPster core code rather than in application-specific memcpy logic. This issue is not claimed to be directly reachable in the default stock sample as shipped; it is reachable in API-enabled deployments created through CIPster's public object/attribute registration model. The demonstrated impact is unauthenticated remote process crash, with independently triggerable out-of-bounds read and out-of-bounds write primitives. |
|---|
| Source | ⚠️ https://github.com/liftoff-sr/CIPster/issues/48 |
|---|
| User | Carnegie (UID 98671) |
|---|
| Submission | 06/01/2026 08:02 (28 days ago) |
|---|
| Moderation | 06/29/2026 07:04 (28 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 374596 [liftoff-sr CIPster up to e8e9dba09bf56962807d3504b783ccdb6287f3e4 EtherNet IP Message BufWriter::append out-of-bounds write] |
|---|
| Points | 20 |
|---|