The UaVariant::cloneTo() function in Unified Automation C++ based OPC UA Client Server SDK is vulnerable to NULL dereference which can allow a remote authenticated attacker to perform denial of service.
Unified Automation C++ based OPC UA Client Server SDK
Unified Automation C++ based OPC UA Client Server SDK (, 1.7.6], fixed in 1.7.7
Unified Automation C++ based OPC UA Client Server SDK is a SDK used to develop an OPC UA server in C++, Developed by the Unified Automation.
There is a possible null deref in UaVariant::cloneTo():
…
if ( source->Value.Matrix.NoOfDimensions > 0 )
{
copy->Value.Matrix.Dimensions = (int *)OpcUa_Memory_Alloc(4 * source->Value.Matrix.NoOfDimensions);
memcpy(copy->Value.Matrix.Dimensions, source->Value.Matrix.Dimensions, 4 * source->Value.Matrix.NoOfDimensions);
nMatrixElements = 1;
for ( mm = 0; mm < copy->Value.Matrix.NoOfDimensions; ++mm )
nMatrixElements *= source->Value.Matrix.Dimensions[mm];
…
There is a call to memcpy() after OpcUa_Memory_Alloc() is called without checking if copy->Value.Matrix.Dimensions is null. It might be null if the requested length is too big.
No PoC is supplied for this issue
No mitigations are supplied for this issue