JFrog Security Research
< Back

XRAY-75753 - Unified Automation PubSub stack NULL dereference DoS

JFrog Severity:medium

Discovered ByUriya Yavnieliof the JFrog Security Research Team

Published 1 Jun, 2022 | Last updated 1 Jun, 2022

The UaInt32Array::create() function in Unified Automation C based PubSub Stack is vulnerable to NULL dereference which can allow a remote attacker to cause denial of service

Unified Automation C++ Based OPC UA PubSub SDK Unified Automation ANSI C Based OPC UA Client & Server SDK Unified Automation HighPerf SDK

Unified Automation C++ based OPC UA Client Server SDK (, 1.7.6], fixed in 1.7.7 Unified Automation AnsiC SDK (, 1.9.2], fixed in 1.9.3 Unified Automation HighPerf SDK (, 1.5.2], fixed in 1.6.0

Unified Automation is a Bundle used to develop an OPC UA PubSub support in C++ and C, Developed by the Unified Automation.

There is a possible NULL deref in UaInt32Array::create():

void __cdecl UaInt32Array::create(UaInt32Array *const this, OpcUa_UInt32_0 length)
{
    UaInt32Array::clear(this);
    if ( length )
    {
        this->m_data = (OpcUa_Int32_0 *)OpcUa_Memory_Alloc(4 * length);
        memset(this->m_data, 0, 4LL * length);
        this->m_noOfElements = length;
    }
}

There is a call to memset() after OpcUa_Memory_Alloc() is called without checking if this->m_data is NULL. It might be NULL if the requested length is too big.

UaInt32Array::create() is called from PubSubServer::DataSetDispatcherDataItemTargetVariable::DataSetDispatcherDataItemTargetVariable() when parsing a fieldMetadata.ValueRank that is passed in a PubSubConfig that will eventually end up in the length parameter.

No PoC is supplied for this issue ​

No mitigations are supplied for this issue

< Back