[PSEIP-569] CIP class 3 connection explicit messages are not bounded with regards to the maximum connection size - Hilscher Ticket

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: V3.7.0.9, V3.7.4.0
Component/s: None
Labels:
None

Account:
SPC EthernetIp Slave (SPCETHERNE)

Description

Naturally, a ForwardOpen has the maximum connection size of 511 bytes (Including 16-bit sequence counter, 32-bit real-time header if exists).
Seemingly, if I open a class 3 connection towards the device wit ha size of 511 bytes, and then send a service request over the connection which is larger, the request succeeds (at least it arrives at the object level, which seems to be wrong):

I assume we are missing a size check and also have a classical buffer overflow situation here with all the usual malicious effects.. The maximum size of a CIP class 3 excplicit service request shall be checked and limited by the size of the class 3 connection. Overly large requests (and responses) shall be rejected.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

PSEIP-569.pcapng
2022-09-26 08:54
3 kB
Marc Bommert
PSEIP-569-fix.pcapng
2022-10-18 16:35
2 kB
Omid Kompani

Expenses

Activity

Status Description

People

Reporter:

Marc Bommert

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

2022-09-26 08:50

Updated:

2022-10-25 08:05

Resolved:

2022-10-19 13:51