JFrog Security Research

XRAY-75757 - Unified Automation C++ based OPC UA Client Server SDK out of bounds read

JFrog Severity:medium

Published 1 Jun. 2022 | Last updated 1 Jun. 2022

The UaVariant::cloneTo() function in Unified Automation C++ based OPC UA Client Server SDK is vulnerable to of out bounds read issue which can allow a remote authenticated attacker to perform denial of service.

Unified Automation C++ based OPC UA Client Server SDK

Unified Automation C++ based OPC UA Client Server SDK (, 1.7.6], fixed in 1.7.7 ​

Unified Automation C++ based OPC UA Client Server SDK is a SDK used to develop an OPC UA server in C++, Developed by the Unified Automation.

There is a possible read out of bounds in UaVariant::cloneTo():

…
      if ( source->Value.Matrix.NoOfDimensions > 0 )
      {
        copy->Value.Matrix.Dimensions = (int *)OpcUa_Memory_Alloc(4 * source->Value.Matrix.NoOfDimensions);
        memcpy(copy->Value.Matrix.Dimensions, source->Value.Matrix.Dimensions, 4 * source->Value.Matrix.NoOfDimensions);
        nMatrixElements = 1;
        for ( mm = 0; mm < copy->Value.Matrix.NoOfDimensions; ++mm )
          nMatrixElements *= source->Value.Matrix.Dimensions[mm];
…

There is an integer overflow here if source->Value.Matrix.NoOfDimensions is 0x40000000 or bigger. For example with the value 0x40000001 the allocated size will be 0x4. This function is called from UaVariant::operator=() which is called from PubSubServer::DataSetDispatcherDataItemTargetVariable::DataSetDispatcherDataItemTargetVariable():

    if ( valueRank >= 0 )
    {
      if ( valueRank && valueRank != 1 )
      {
        OpcUa_Variant_Initialize(&vVal);
        vVal.ArrayType = 2;
        vVal.Datatype = builtInType;
        UaInt32Array::UaInt32Array(&dimensions);
        LOBYTE(v39) = 15;
        UaInt32Array::create(&dimensions, valueRank);
        vVal.Value.Matrix.NoOfDimensions = valueRank;
        vVal.Value.Matrix.Dimensions = UaInt32Array::detach(&dimensions);
        UaVariant::operator=(&intialValue, &vVal);

No PoC is supplied for this issue ​

No mitigations are supplied for this issue