| Firmware Name | Firmware Version | Download Link |
|---|---|---|
| DAP-1620 | DAP_1620_REVA_FIRMWARE_1.03 | https://legacyfiles.us.dlink.com/DAP-1620/REVA/Firmware/DAP-1620_REVA_FIRMWARE_1.03.B08.ZIP |
The vulnerability was triggered by a pointer dereference error at address 0x0041d9ac within the array_reset function.
Each time an HTTP request is received, the http_request_parse function is triggered to parse the request and subsequently calls the set_ws_action function.
Before further processing, the global variable ws_action is initialized using memset(&ws_action, 0, 20) to clear its 20-byte buffer.
The variable con->request.http_range contains the path of the HTTP request.
The condition if (!strncmp(str1_1, "/dws/api/", 9u)) evaluates whether the HTTP request path starts with "/dws/api/".
If the path begins with "/dws/api/", the set_ws_action function is called to process the request further.
The decompiled source code for the set_ws_action function is provided below for reference.
If the input string str contains a '?', it sets the global variable ws_action to the substring before the '?'; otherwise, if str starts with "Login", it sets ws_action to "Login".
The global variable ws_action is located at address 0x0046DBC0 and has a buffer of only 20 bytes, making it susceptible to buffer overflow.
