Vendor: Tenda
Product: AC10
Version: US_AC10V4.0si_V16.03.10.09_multi_TDE01
Type: Buffer Overflow
Firmware link: https://www.tendacn.com/material/show/104560
The function get_parentControl_list_Info copies HTTP parameters deviceID straight into fixed-size fields of the target structure a2 using strcpy() with no length checks. Specifically, deviceId is written to offset +2 (only 32 bytes available) and urls to offset +80 (512 bytes). Supplying strings longer than these buffers over the /goform/getParentControlInfo endpoint lets a remote, unauthenticated attacker overflow the stack/heap, overwrite the saved return address, and execute arbitrary code as root or crash the service. Additional risks come from an unchecked sscanf() on the day parameter and multiple atoi() calls that blindly trust user input, further increasing the chance of memory corruption. In short, the function presents a classic buffer-overflow vulnerability exploitable via the deviceId parameter on all AC10 V4 firmware ≤ 16.03.10.20.