Tenda M3 Heap-Based Buffer Overflow Vulnerability in VLAN Policy Handler

A heap-based buffer overflow vulnerability has been identified in the Tenda M3 router, specifically in the firmware version 1.0.0.13(4903). The issue arises in the 'formSetVlanPolicy' function within the '/goform/setVlanPolicyData' endpoint. The vulnerability is caused by inadequate input validation and bounds checking on the 'qvlan_truck_port' parameter, allowing for remote exploitation. This memory corruption issue, classified under CWE-122 and CWE-119, could potentially be exploited to manipulate memory in a way that leads to arbitrary code execution or other malicious outcomes.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, leading to memory corruption. Such heap overflow conditions can be exploited to overwrite memory in the heap, potentially allowing for arbitrary code execution or causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/setVlanPolicyData' endpoint. Include the 'qvlan_truck_port' parameter with a payload that exceeds the buffer size, such as a string of repeated characters. The 'memcpy()' function in the handler will copy the oversized input without proper bounds checking, triggering the heap overflow.