RYTEC
/
libiec61850
mirror of https://github.com/mz-automation/libiec61850.git
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- restrict maximum recursion depth in BerDecoder_decodeLength when indefinite length encoding is used to avoid stack overflow when receiving malformed messages

Browse Source
pull/320/head
Michael Zillgith 5 years ago
parent 058bc2edf7
commit 0451460c7e
1 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File

24
src/mms/asn1/ber_decode.c
Unescape Escape View File

@ -25,8 +25,16 @@
#include "ber_decode.h"
static int
getIndefiniteLength(uint8_t* buffer, int bufPos, int maxBufPos)
BerDecoder_decodeLengthRecursive(uint8_t* buffer, int* length, int bufPos, int maxBufPos, int depth, int maxDepth);
static int
getIndefiniteLength(uint8_t* buffer, int bufPos, int maxBufPos, int depth, int maxDepth)
{
depth++;
if (depth > maxDepth)
return -1;
int length = 0;
while (bufPos < maxBufPos) {
@ -44,7 +52,7 @@ getIndefiniteLength(uint8_t* buffer, int bufPos, int maxBufPos)
int subLength = -1;
int newBufPos = BerDecoder_decodeLength(buffer, &subLength, bufPos, maxBufPos);
int newBufPos = BerDecoder_decodeLengthRecursive(buffer, &subLength, bufPos, maxBufPos, depth, maxDepth);
if (newBufPos == -1)
return -1;
@ -58,8 +66,8 @@ getIndefiniteLength(uint8_t* buffer, int bufPos, int maxBufPos)
return -1;
}
int
BerDecoder_decodeLength(uint8_t* buffer, int* length, int bufPos, int maxBufPos)
static int
BerDecoder_decodeLengthRecursive(uint8_t* buffer, int* length, int bufPos, int maxBufPos, int depth, int maxDepth)
{
if (bufPos >= maxBufPos)
return -1;
@ -70,7 +78,7 @@ BerDecoder_decodeLength(uint8_t* buffer, int* length, int bufPos, int maxBufPos)
int lenLength = len1 & 0x7f;
if (lenLength == 0) { /* indefinite length form */
*length = getIndefiniteLength(buffer, bufPos, maxBufPos);
*length = getIndefiniteLength(buffer, bufPos, maxBufPos, depth, maxDepth);
}
else {
*length = 0;
@ -105,6 +113,12 @@ BerDecoder_decodeLength(uint8_t* buffer, int* length, int bufPos, int maxBufPos)
return bufPos;
}
int
BerDecoder_decodeLength(uint8_t* buffer, int* length, int bufPos, int maxBufPos)
{
return BerDecoder_decodeLengthRecursive(buffer, length, bufPos, maxBufPos, 0, 50);
}
char*
BerDecoder_decodeString(uint8_t* buffer, int strlen, int bufPos, int maxBufPos)
{

Write Preview
Loading…
Cancel
Save