From 786586d642964b269859363d300e41373c213c76 Mon Sep 17 00:00:00 2001
From: Michael Zillgith <michael.zillgith@mz-automation.de>
Date: Mon, 12 Aug 2024 10:57:05 +0100
Subject: [PATCH] - ACSE: fixed out-of-bound read in parseAarqPdu/parseAarePdu
 functions (#512)(#513)(LIB61850-441)(LIB61850-442)

---
 src/mms/iso_acse/acse.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/mms/iso_acse/acse.c b/src/mms/iso_acse/acse.c
index 9f5b4186..d35cabf7 100644
--- a/src/mms/iso_acse/acse.c
+++ b/src/mms/iso_acse/acse.c
@@ -197,10 +197,17 @@ parseAarePdu(AcseConnection* self, uint8_t* buffer, int bufPos, int maxBufPos)
 
         bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, maxBufPos);
 
+        if (bufPos < 0)
+        {
+            if (DEBUG_ACSE)
+                printf("ACSE: Invalid PDU!\n");
+            return ACSE_ERROR;
+        }
+
         if (len == 0)
             continue;
 
-        if ((bufPos < 0) || (bufPos + len > maxBufPos))
+        if (bufPos + len > maxBufPos)
         {
             if (DEBUG_ACSE)
                 printf("ACSE: Invalid PDU!\n");
@@ -290,10 +297,17 @@ parseAarqPdu(AcseConnection* self, uint8_t* buffer, int bufPos, int maxBufPos)
 
         bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, maxBufPos);
 
+        if (bufPos < 0)
+        {
+            if (DEBUG_ACSE)
+                printf("ACSE: Invalid PDU!\n");
+            return ACSE_ASSOCIATE_FAILED;
+        }
+
         if (len == 0)
             continue;
 
-        if ((bufPos < 0) || (bufPos + len > maxBufPos))
+        if (bufPos + len > maxBufPos)
         {
             if (DEBUG_ACSE)
                 printf("ACSE: Invalid PDU!\n");