BF Specification of CVE-2018-14557 Tenda firmware until v15.03.06.44_CN(AC7), v15.03.05.19(6318)_CN(AC9), and v15.03.06.23_CN(AC10)

Erroneous declaration of the 's' object leads to a wrong type (char instead of an array of chars), allowing a pointer reposition over its bounds, which, when used in 'sprintf()' leads to stack buffer overflow. If exploited, this can lead to denial of service (DOS) -- availability loss.

vendor:product: tenda:ac7_firmware:*

Bug Report

Code with Bug

Code with Fix

NVD Entry

DCLDeclaration (DCL) class – An object, a function, a type, or a namespace is declared or defined improperly.
MADMemory Addressing (MAD) class – The pointer to an object is initialized, repositioned, or reassigned to an improper memory address.
MUSMemory Use (MUS) class – An object is initialized, read, written, or cleared improperly.
DeclareDeclare operation – Specify the name and type of an object; the name, return type, and parameters of a function; or the name and type parameters of a type.
RepositionReposition operation – Change the pointer to another position inside its object.
WriteWrite operation – Change the data value of an object to another meaningful value.
Code BugCode Bug type – Defect in the implementation of the operation – proper operands over an improper operation. A first cause for the chain of weaknesses underlying a software security vulnerability. Must be fixed to resolve the vulnerability.
   Erroneous CodeErroneous Code bug - There is a coding error in the implementation of the operation.
Type Error/FaultType Fault/Error type – The the set or range of allowed values is wrong or the operations allowed on them are wrong.
   Wrong TypeWrong Type fault/error – A data type range or structure is not correct.
Address Error/FaultAddress Fault/Error type – The object address in use is wrong.
   Over Bounds PointerOver Bounds Pointer fault/error – Holds an address above the upper boundary of its object.
Memory Corruption/Disclosure Final ErrorMemory Corruption/Disclosure exploitable error type – An exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Buffer OverflowBuffer Overflow exploitable error – Write data above the upper bound of an object (i.e., buffer overwrite).
Operation AttributeDefinition
MechanismMechanism operation attribute type – Shows how the operation code is performed.
   SimpleSimple operation attribute – The operation is via non-polymorphic types.
   SequentialSequential operation attribute – The operation is via iterating over the object elements.
Source CodeSource Code operation attribute type – Shows where the operation code is in software or firmware.
   CodebaseCodebase operation attribute – The operation is in the programmer's code - in the application itself.
Execution SpaceExecution Space operation attribute type – Shows where the operation code is running or with what privilege level.
   Bare-MetalBare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operand AttributeDefinition
Name KindName Kind operand attribute type – Shows the entity with this name.
   Data TypeData Type operand attribute – A set of allowed values and the operations allowed over them.
Type KindType Kind operand attribute type – Shows what the data type composition is.
   PrimitivePrimitive operand attribute – A scalar data type that mimics the hardware units - e.g., int (long, short, signed), float, double, string, Boolean. A primitive data type is only language defined and is not built from other data types.
Address StateAddress State operand attribute type - Shows where the address is in the memory layout.
   StackStack operand attribute – The object is a non-static local variable (defined in a function, a passed parameter, or a function return address).
Size KindSize Kind operand attribute type – Shows the object's limit for traversal.
   ActualActual operand attribute – The real size of an object.
Address KindAddress Kind operand attribute type - Shows how much memory is accessed outside object's bounds.
   ModerateModerate operand attribute - Several bytes, but less than 1 KB, of memory.