| tiêu đề | Linux OpENer (Open EtherNet/IP Stack) lastet Use After Free |
|---|
| Mô tả | In the current master branch of OpENer, a stack‑use‑after‑return vulnerability exists in the TCP explicit‑message (SendRRData) processing path. The function `HandleDataOnTcpSocket()` stores the received EtherNet/IP packet into a local stack buffer (`incoming_message`). This buffer is then passed as a raw pointer through multiple layers: encapsulation parsing, CPF (Common Packet Format) parsing, and message routing. The CPF layer stores the pointer to the CIP payload (`data_item.data`) without copying the data to a separately managed storage area. Later, when the original stack frame has returned, the message router function `CreateMessageRouterRequestStructure()` dereferences this pointer (e.g., `*data`) to read the service byte. Because the stack memory has been reclaimed (the function `HandleDataOnTcpSocket()` has already returned when the socket event loop continues), this access causes an invalid memory read. AddressSanitizer reports the issue as `stack-use-after-return`, and the server crashes (denial of service). The vulnerability can be triggered remotely using a crafted `SendRRData` request and has been reproduced on the POSIX server build. |
|---|
| Nguồn | ⚠️ https://github.com/EIPStackGroup/OpENer/issues/566 |
|---|
| Người dùng | QvuQ_lkx (UID 98260) |
|---|
| Đệ trình | 15/05/2026 15:04 (cách đây 20 ngày) |
|---|
| Kiểm duyệt | 02/06/2026 19:42 (18 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 368016 [EIPStackGroup OpENer đến 2.3.0 SendRRData cipmessagerouter.c CreateMessageRouterRequestStructure tràn bộ đệm] |
|---|
| điểm | 20 |
|---|