OpENer Out-of-Bounds Read Vulnerability in Common Packet Format Parser

A vulnerability allowing out-of-bounds read has been identified in OpENer version 2.3-558-g1e99582. This issue arises in the Common Packet Format (CPF) parser, specifically within the 'CreateCommonPacketFormatStructure()' function located in 'source/src/enet_encap/cpf.c'. The vulnerability is triggered by a crafted ENIP/CPF message that contains an attacker-controlled 'item_count' value, which is not properly validated against the remaining 'data_length' of the CPF slice. This oversight can lead to reading beyond the intended buffer, potentially causing a heap-based memory corruption.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by compiling OpENer with AFL (American Fuzzy Lop) instrumentation to create a fuzzing test case that exploits the out-of-bounds read. After compiling OpENer with AFL, the crafted test case can be sent to the OpENer application, which will trigger the vulnerability by causing the CPF parser to read beyond the allocated buffer based on the manipulated 'item_count' value.