| Firmware Name | Firmware Version | Download Link |
|---|---|---|
| DAP-1562 | DAP_1562_REVA_FIRMWARE_1.10 | DAP-1562_FIRMWARE_1.10.ZIP |
The vulnerability is triggered in the connection_set_state function, where the wrong address pointer is dereferenced.
0x00422548. It is determined that the vulnerability is caused by an incorrect dereference of the function parameter connection *con.
connection_set_state function is involved in the connection_state_machine function. The http_request_parse function is called before the connection_set_state function.
http_request_parse function, the variable con(the register s2/a1) can still be dereferenced normally.
http_request_parse function, the strncpy function is called to copy the value corresponding to the Authorization field in the request onto the stack. However, the buffer size is only 0x12C bytes. If the length of this value exceeds 0x12C, a stack overflow will occur.
http_request_parse function return, it restores the value of the register s2 that was previously saved on the stack. However, due to the stack overflow, this value becomes corrupted.