RYTEC
/
libiec61850
mirror of https://github.com/mz-automation/libiec61850.git
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- restrict maximum recursion depth in BerDecoder_decodeLength when indefinite length encoding is used to avoid stack overflow when receiving malformed messages

Browse Source
pull/320/head
Michael Zillgith 5 years ago
parent 058bc2edf7
commit 0451460c7e
1 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File

24
src/mms/asn1/ber_decode.c
Unescape Escape View File

@ -25,8 +25,16 @@
#include "ber_decode.h" #include "ber_decode.h"
static int static int
getIndefiniteLength(uint8_t* buffer, int bufPos, int maxBufPos) BerDecoder_decodeLengthRecursive(uint8_t* buffer, int* length, int bufPos, int maxBufPos, int depth, int maxDepth);
static int
getIndefiniteLength(uint8_t* buffer, int bufPos, int maxBufPos, int depth, int maxDepth)
{ {
depth++;
if (depth > maxDepth)
return -1;
int length = 0; int length = 0;
while (bufPos < maxBufPos) { while (bufPos < maxBufPos) {
@ -44,7 +52,7 @@ getIndefiniteLength(uint8_t* buffer, int bufPos, int maxBufPos)
int subLength = -1; int subLength = -1;
int newBufPos = BerDecoder_decodeLength(buffer, &subLength, bufPos, maxBufPos); int newBufPos = BerDecoder_decodeLengthRecursive(buffer, &subLength, bufPos, maxBufPos, depth, maxDepth);
if (newBufPos == -1) if (newBufPos == -1)
return -1; return -1;
@ -58,8 +66,8 @@ getIndefiniteLength(uint8_t* buffer, int bufPos, int maxBufPos)
return -1; return -1;
} }
int static int
BerDecoder_decodeLength(uint8_t* buffer, int* length, int bufPos, int maxBufPos) BerDecoder_decodeLengthRecursive(uint8_t* buffer, int* length, int bufPos, int maxBufPos, int depth, int maxDepth)
{ {
if (bufPos >= maxBufPos) if (bufPos >= maxBufPos)
return -1; return -1;
@ -70,7 +78,7 @@ BerDecoder_decodeLength(uint8_t* buffer, int* length, int bufPos, int maxBufPos)
int lenLength = len1 & 0x7f; int lenLength = len1 & 0x7f;
if (lenLength == 0) { /* indefinite length form */ if (lenLength == 0) { /* indefinite length form */
*length = getIndefiniteLength(buffer, bufPos, maxBufPos); *length = getIndefiniteLength(buffer, bufPos, maxBufPos, depth, maxDepth);
} }
else { else {
*length = 0; *length = 0;
@ -105,6 +113,12 @@ BerDecoder_decodeLength(uint8_t* buffer, int* length, int bufPos, int maxBufPos)
return bufPos; return bufPos;
} }
int
BerDecoder_decodeLength(uint8_t* buffer, int* length, int bufPos, int maxBufPos)
{
return BerDecoder_decodeLengthRecursive(buffer, length, bufPos, maxBufPos, 0, 50);
}
char* char*
BerDecoder_decodeString(uint8_t* buffer, int strlen, int bufPos, int maxBufPos) BerDecoder_decodeString(uint8_t* buffer, int strlen, int bufPos, int maxBufPos)
{ {

Write Preview
Loading…
Cancel
Save