Skip to content

Commit

Permalink
- ACSE: fixed out-of-bound read in parseAarqPdu/parseAarePdu functions (
Browse files Browse the repository at this point in the history 
#512)(#513)(LIB61850-441)(LIB61850-442)
  • Loading branch information
@mzillgith
mzillgith committed Aug 12, 2024
1 parent be15bfc commit 786586d
Showing 1 changed file with 16 additions and 2 deletions.
18 changes: 16 additions & 2 deletions src/mms/iso_acse/acse.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,10 +197,17 @@ parseAarePdu(AcseConnection* self, uint8_t* buffer, int bufPos, int maxBufPos)

bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, maxBufPos);

if (bufPos < 0)
{
if (DEBUG_ACSE)
printf("ACSE: Invalid PDU!\n");
return ACSE_ERROR;
}

if (len == 0)
continue;

if ((bufPos < 0) || (bufPos + len > maxBufPos))
if (bufPos + len > maxBufPos)
{
if (DEBUG_ACSE)
printf("ACSE: Invalid PDU!\n");
Expand Down Expand Up @@ -290,10 +297,17 @@ parseAarqPdu(AcseConnection* self, uint8_t* buffer, int bufPos, int maxBufPos)

bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, maxBufPos);

if (bufPos < 0)
{
if (DEBUG_ACSE)
printf("ACSE: Invalid PDU!\n");
return ACSE_ASSOCIATE_FAILED;
}

if (len == 0)
continue;

if ((bufPos < 0) || (bufPos + len > maxBufPos))
if (bufPos + len > maxBufPos)
{
if (DEBUG_ACSE)
printf("ACSE: Invalid PDU!\n");
Expand Down

0 comments on commit 786586d

Please sign in to comment.