Capital™ Embedded Potential Array Out-of-Bounds Access in the Dcm Module

2024-10-09T09:46:41.000-0400

Capital Embedded AR Classic

Summary

When requesting a non-configured DID via the ReadDataByIdentifier (0x22) service, due to a bug in the Dcm_Dsp.c, internal function FindDidByIdentifier(), an array out-of-bounds access can take place.

Details

Affected versions:

The issue was introduced in software version V8.36.5-Delivery-Build26338 (2406 milestone release) and is present in all subsequent versions up to but not including the 2412 milestone release.

Issue trigger conditions:

The issue can only appear if all the following conditions are satisfied when requesting a DID through ReadDataByIdentifier (0x22) service:

A DID with an identifier lower than any of the configured DIDs is requested.
The total number of the configured DIDs is 2, 5, 6, 11, 12, 13, 14, 23, 24, etc., up to 32767 different numbers of DIDs that will cause the expected final loop in the binary search to have beginIndex = 0 and endIndex = 1.

Root cause:

The condition for breaking the loop should be if (index == 0U) instead of if (endIndex == 0U). The current condition causes endIndex, when the trigger conditions are satisfied, to be set to index – 1 (65535 as the index is a 16-bit unsigned integer), leading to an out-of-bounds access.

Workaround:

Configuring a DID with the identifier 0x0000, if not already done, with DcmDspDidUsed (false) will prevent the issue from occurring.

Resolution:

Fix will be part of the 2412 milestone release.

KB Article ID# KB000154312_EN_US

Summary Details

Associated Components