airpig2011 IEC104 Heap-Use-After-Free Vulnerability

A heap-use-after-free vulnerability has been identified in airpig2011 IEC104, affecting versions through commit be6d841 (2019-07-08). This vulnerability arises during multi-threaded client execution, where the function Iec10x_Scheduled can access memory that has already been freed. This access can lead to program crashes or undefined behavior, and may be exploited to cause a denial-of-service or memory corruption.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition or memory corruption.

Reproduction

The vulnerability can be reproduced by compiling the 'iec104_monitor' program with AddressSanitizer (ASan) enabled, which detects memory errors. After compiling, the program can be run in client mode with 100 threads, targeting port 10000. During this execution, concurrent threads will interact with a priority queue in a way that triggers the use-after-free condition. Thread T7 allocates a memory block, which is then freed by Thread T74. Meanwhile, Thread T96 reads from the freed memory, causing the AddressSanitizer to report a heap-use-after-free error.