Tenda AC18 Stack Overflow Vulnerability in formSetClientState Function

A stack overflow vulnerability has been identified in the Tenda AC18 router, specifically in the V15.03.05.19 firmware. The issue arises in the formSetClientState function, where the limitSpeedUp parameter is extracted from a POST request without proper input validation. This parameter is then passed to a sprintf function, which writes the formatted string into a local stack-based buffer. If the limitSpeedUp value exceeds the buffer's capacity, it can overwrite the function's return address, causing a stack overflow. This vulnerability could be exploited by an unauthenticated attacker to create a denial-of-service condition or potentially execute arbitrary code on the device, undermining its security and functionality.

Impact

Exploitation of this vulnerability leads to a stack overflow, allowing for overwriting of the return address and potentially executing arbitrary code on the device. Additionally, the vulnerability can cause a denial-of-service condition.