The UaInt32Array::create() function in Unified Automation C based PubSub Stack is vulnerable to NULL dereference which can allow a remote attacker to cause denial of service
Unified Automation C++ Based OPC UA PubSub SDK Unified Automation ANSI C Based OPC UA Client & Server SDK Unified Automation HighPerf SDK
Unified Automation C++ based OPC UA Client Server SDK (, 1.7.6], fixed in 1.7.7 Unified Automation AnsiC SDK (, 1.9.2], fixed in 1.9.3 Unified Automation HighPerf SDK (, 1.5.2], fixed in 1.6.0
Unified Automation is a Bundle used to develop an OPC UA PubSub support in C++ and C, Developed by the Unified Automation.
There is a possible NULL deref in UaInt32Array::create()
:
void __cdecl UaInt32Array::create(UaInt32Array *const this, OpcUa_UInt32_0 length)
{
UaInt32Array::clear(this);
if ( length )
{
this->m_data = (OpcUa_Int32_0 *)OpcUa_Memory_Alloc(4 * length);
memset(this->m_data, 0, 4LL * length);
this->m_noOfElements = length;
}
}
There is a call to memset()
after OpcUa_Memory_Alloc()
is called without checking if this->m_data
is NULL. It might be NULL if the requested length is too big.
UaInt32Array::create() is called from PubSubServer::DataSetDispatcherDataItemTargetVariable::DataSetDispatcherDataItemTargetVariable()
when parsing a fieldMetadata.ValueRank
that is passed in a PubSubConfig that will eventually end up in the length parameter.
No PoC is supplied for this issue
No mitigations are supplied for this issue