The UaVariant::cloneTo() function in Unified Automation C++ based OPC UA Client Server SDK is vulnerable to of out bounds read issue which can allow a remote authenticated attacker to perform denial of service.
Unified Automation C++ based OPC UA Client Server SDK
Unified Automation C++ based OPC UA Client Server SDK (, 1.7.6], fixed in 1.7.7
Unified Automation C++ based OPC UA Client Server SDK is a SDK used to develop an OPC UA server in C++, Developed by the Unified Automation.
There is a possible read out of bounds in UaVariant::cloneTo()
:
…
if ( source->Value.Matrix.NoOfDimensions > 0 )
{
copy->Value.Matrix.Dimensions = (int *)OpcUa_Memory_Alloc(4 * source->Value.Matrix.NoOfDimensions);
memcpy(copy->Value.Matrix.Dimensions, source->Value.Matrix.Dimensions, 4 * source->Value.Matrix.NoOfDimensions);
nMatrixElements = 1;
for ( mm = 0; mm < copy->Value.Matrix.NoOfDimensions; ++mm )
nMatrixElements *= source->Value.Matrix.Dimensions[mm];
…
There is an integer overflow here if source->Value.Matrix.NoOfDimensions
is 0x40000000 or bigger. For example with the value 0x40000001 the allocated size will be 0x4. This function is called from UaVariant::operator=()
which is called from PubSubServer::DataSetDispatcherDataItemTargetVariable::DataSetDispatcherDataItemTargetVariable()
:
if ( valueRank >= 0 )
{
if ( valueRank && valueRank != 1 )
{
OpcUa_Variant_Initialize(&vVal);
vVal.ArrayType = 2;
vVal.Datatype = builtInType;
UaInt32Array::UaInt32Array(&dimensions);
LOBYTE(v39) = 15;
UaInt32Array::create(&dimensions, valueRank);
vVal.Value.Matrix.NoOfDimensions = valueRank;
vVal.Value.Matrix.Dimensions = UaInt32Array::detach(&dimensions);
UaVariant::operator=(&intialValue, &vVal);
No PoC is supplied for this issue
No mitigations are supplied for this issue