- added type checks when using asn1c parsing results for whole MmsPdu (LIB61850-343)

3 years ago · 1615c8ea9a
parent aeb8cb6157
commit 1615c8ea9a
8 changed files with 99 additions and 66 deletions
--- a/src/mms/iso_mms/client/mms_client_connection.c
+++ b/src/mms/iso_mms/client/mms_client_connection.c
@ -66,7 +66,7 @@ static void
 handleUnconfirmedMmsPdu(MmsConnection self, ByteBuffer* message)
 {
    if (self->reportHandler != NULL) {
-        MmsPdu_t* mmsPdu = 0; /* allow asn1c to allocate structure */
+        MmsPdu_t* mmsPdu = NULL; /* allow asn1c to allocate structure */

        if (DEBUG_MMS_CLIENT)
            printf("MMS_CLIENT: report handler rcvd size:%i\n", ByteBuffer_getSize(message));
--- a/src/mms/iso_mms/client/mms_client_files.c
+++ b/src/mms/iso_mms/client/mms_client_files.c
@ -1,7 +1,7 @@
 /*
 *  mms_client_files.c
 *
- *  Copyright 2013 - 2016 Michael Zillgith
+ *  Copyright 2013 - 2022 Michael Zillgith
 *
 *  This file is part of libIEC61850.
 *
--- a/src/mms/iso_mms/client/mms_client_get_var_access.c
+++ b/src/mms/iso_mms/client/mms_client_get_var_access.c
@ -1,7 +1,7 @@
 /*
 *  mms_client_get_var_access.c
 *
- *  Copyright 2013-2018 Michael Zillgith
+ *  Copyright 2013-2022 Michael Zillgith
 *
 *  This file is part of libIEC61850.
 *
@ -132,7 +132,7 @@ createTypeSpecification(TypeSpecification_t* asnTypeSpec)
 MmsVariableSpecification*
 mmsClient_parseGetVariableAccessAttributesResponse(ByteBuffer* message, uint32_t* invokeId)
 {
-    MmsPdu_t* mmsPdu = 0; /* allow asn1c to allocate structure */
+    MmsPdu_t* mmsPdu = NULL; /* allow asn1c to allocate structure */
    MmsVariableSpecification* typeSpec = NULL;

    asn_dec_rval_t rval = ber_decode(NULL, &asn_DEF_MmsPdu,
--- a/src/mms/iso_mms/client/mms_client_named_variable_list.c
+++ b/src/mms/iso_mms/client/mms_client_named_variable_list.c
@ -119,7 +119,7 @@ mmsClient_createDeleteAssociationSpecificNamedVariableListRequest(
 bool
 mmsClient_parseDeleteNamedVariableListResponse(ByteBuffer* message, uint32_t* invokeId, long* numberDeleted, long* numberMatched)
 {
-    MmsPdu_t* mmsPdu = 0;
+    MmsPdu_t* mmsPdu = NULL;

    bool retVal = false;

@ -299,7 +299,7 @@ parseNamedVariableAttributes(GetNamedVariableListAttributesResponse_t* response,
 LinkedList /* <MmsVariableAccessSpecification*> */
 mmsClient_parseGetNamedVariableListAttributesResponse(ByteBuffer* message, bool* /*OUT*/deletable)
 {
-    MmsPdu_t* mmsPdu = 0;
+    MmsPdu_t* mmsPdu = NULL;

    LinkedList attributes = NULL;

@ -311,7 +311,7 @@ mmsClient_parseGetNamedVariableListAttributesResponse(ByteBuffer* message, bool*

            if (mmsPdu->choice.confirmedResponsePdu.confirmedServiceResponse.present ==
                    ConfirmedServiceResponse_PR_getNamedVariableListAttributes)
-                    {
+            {
                attributes = parseNamedVariableAttributes(
                        &(mmsPdu->choice.confirmedResponsePdu.confirmedServiceResponse.choice.getNamedVariableListAttributes),
                        deletable);
@ -430,7 +430,7 @@ mmsClient_createDefineNamedVariableListRequest(
 bool
 mmsClient_parseDefineNamedVariableResponse(ByteBuffer* message, uint32_t* invokeId)
 {
-    MmsPdu_t* mmsPdu = 0;
+    MmsPdu_t* mmsPdu = NULL;
    bool retVal = false;

    asn_dec_rval_t rval;
--- a/src/mms/iso_mms/client/mms_client_read.c
+++ b/src/mms/iso_mms/client/mms_client_read.c
@ -363,7 +363,7 @@ mmsClient_parseListOfAccessResults(AccessResult_t** accessResultList, int listSi
 MmsValue*
 mmsClient_parseReadResponse(ByteBuffer* message, uint32_t* invokeId, bool createArray)
 {
-    MmsPdu_t* mmsPdu = 0; /* allow asn1c to allocate structure */
+    MmsPdu_t* mmsPdu = NULL; /* allow asn1c to allocate structure */

    MmsValue* valueList = NULL;

--- a/src/mms/iso_mms/server/mms_named_variable_list_service.c
+++ b/src/mms/iso_mms/server/mms_named_variable_list_service.c
@ -120,9 +120,8 @@ mmsServer_handleDeleteNamedVariableListRequest(MmsServerConnection connection,
 {
    (void)bufPos;

-	DeleteNamedVariableListRequest_t* request = 0;
-
-    MmsPdu_t* mmsPdu = 0;
+    DeleteNamedVariableListRequest_t* request = NULL;
+    MmsPdu_t* mmsPdu = NULL;

    asn_dec_rval_t rval = ber_decode(NULL, &asn_DEF_MmsPdu, (void**) &mmsPdu, buffer, maxBufPos);

@ -131,8 +130,17 @@ mmsServer_handleDeleteNamedVariableListRequest(MmsServerConnection connection,
        goto exit_function;
    }

-    request = &(mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.choice.deleteNamedVariableList);
-
+    if ((mmsPdu->present == MmsPdu_PR_confirmedRequestPdu) &&
+        (mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.present
+        == ConfirmedServiceRequest_PR_deleteNamedVariableList))
+    {
+        request = &(mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.choice.deleteNamedVariableList);
+    }
+    else {
+        mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
+        goto exit_function;
+    }
+ 
 	long scopeOfDelete = DeleteNamedVariableListRequest__scopeOfDelete_specific;

 	if (request->scopeOfDelete)
@ -458,44 +466,53 @@ mmsServer_handleDefineNamedVariableListRequest(
 	    goto exit_free_struct;
 	}

-	request = &(mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.choice.defineNamedVariableList);
+    if ((mmsPdu->present == MmsPdu_PR_confirmedRequestPdu) && 
+        (mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.present 
+            == ConfirmedServiceRequest_PR_defineNamedVariableList))
+    {
+        request = &(mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.choice.defineNamedVariableList);
+    }
+    else {
+        mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
+	    goto exit_free_struct;
+    }

-	MmsDevice* device = MmsServer_getDevice(connection->server);
+    MmsDevice* device = MmsServer_getDevice(connection->server);

-	if (request->variableListName.present == ObjectName_PR_domainspecific) {
+    if (request->variableListName.present == ObjectName_PR_domainspecific) {

-	    char domainName[65];
+        char domainName[65];

-	    if (request->variableListName.choice.domainspecific.domainId.size > 64) {
-	        mmsMsg_createServiceErrorPdu(invokeId, response, MMS_ERROR_ACCESS_OBJECT_NON_EXISTENT);
-	        goto exit_free_struct;
-	    }
+        if (request->variableListName.choice.domainspecific.domainId.size > 64) {
+            mmsMsg_createServiceErrorPdu(invokeId, response, MMS_ERROR_ACCESS_OBJECT_NON_EXISTENT);
+            goto exit_free_struct;
+        }

-	    StringUtils_createStringFromBufferInBuffer(domainName,
-	            request->variableListName.choice.domainspecific.domainId.buf,
-	            request->variableListName.choice.domainspecific.domainId.size);
+        StringUtils_createStringFromBufferInBuffer(domainName,
+                request->variableListName.choice.domainspecific.domainId.buf,
+                request->variableListName.choice.domainspecific.domainId.size);

-		MmsDomain* domain = MmsDevice_getDomain(device, domainName);
+        MmsDomain* domain = MmsDevice_getDomain(device, domainName);

-		if (domain == NULL) {
-			mmsMsg_createServiceErrorPdu(invokeId, response, MMS_ERROR_ACCESS_OBJECT_NON_EXISTENT);
-			goto exit_free_struct;
-		}
+        if (domain == NULL) {
+            mmsMsg_createServiceErrorPdu(invokeId, response, MMS_ERROR_ACCESS_OBJECT_NON_EXISTENT);
+            goto exit_free_struct;
+        }

 #if (CONFIG_MMS_SERVER_CONFIG_SERVICES_AT_RUNTIME == 1)
-		if (LinkedList_size(domain->namedVariableLists) < connection->server->maxDomainSpecificDataSets) {
+        if (LinkedList_size(domain->namedVariableLists) < connection->server->maxDomainSpecificDataSets) {
 #else
-		if (LinkedList_size(domain->namedVariableLists) < CONFIG_MMS_MAX_NUMBER_OF_DOMAIN_SPECIFIC_DATA_SETS) {
+        if (LinkedList_size(domain->namedVariableLists) < CONFIG_MMS_MAX_NUMBER_OF_DOMAIN_SPECIFIC_DATA_SETS) {
 #endif
-		    char variableListName[65];
+            char variableListName[65];

-		    if (request->variableListName.choice.domainspecific.itemId.size > 64) {
-		        mmsMsg_createServiceErrorPdu(invokeId, response, MMS_ERROR_ACCESS_OBJECT_NON_EXISTENT);
+            if (request->variableListName.choice.domainspecific.itemId.size > 64) {
+                mmsMsg_createServiceErrorPdu(invokeId, response, MMS_ERROR_ACCESS_OBJECT_NON_EXISTENT);
                goto exit_free_struct;
-		    }
+            }

-		    StringUtils_createStringFromBufferInBuffer(variableListName,
-		            request->variableListName.choice.domainspecific.itemId.buf,
+            StringUtils_createStringFromBufferInBuffer(variableListName,
+                    request->variableListName.choice.domainspecific.itemId.buf,
                    request->variableListName.choice.domainspecific.itemId.size);

            if (MmsDomain_getNamedVariableList(domain, variableListName) != NULL) {
--- a/src/mms/iso_mms/server/mms_read_service.c
+++ b/src/mms/iso_mms/server/mms_read_service.c
@ -911,43 +911,50 @@ mmsServer_handleReadRequest(
 		ByteBuffer* response)
 {
    (void)bufPos;
-    (void)maxBufPos;

-	ReadRequest_t* request = 0; /* allow asn1c to allocate structure */
+    ReadRequest_t* request = NULL; /* allow asn1c to allocate structure */
+    MmsPdu_t* mmsPdu = NULL;

-	MmsPdu_t* mmsPdu = 0;
+    asn_dec_rval_t rval = ber_decode(NULL, &asn_DEF_MmsPdu, (void**) &mmsPdu, buffer, maxBufPos);

-	asn_dec_rval_t rval = ber_decode(NULL, &asn_DEF_MmsPdu, (void**) &mmsPdu, buffer, CONFIG_MMS_MAXIMUM_PDU_SIZE);
+    if (rval.code != RC_OK) {
+        mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
+        goto exit_function;
+    }

-	if (rval.code != RC_OK) {
-	    mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
+    if ((mmsPdu->present == MmsPdu_PR_confirmedRequestPdu) && 
+        (mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.present 
+            == ConfirmedServiceRequest_PR_read))
+    {
+        request = &(mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.choice.read);
+    }
+    else {
+        mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
 	    goto exit_function;
-	}
-
-	request = &(mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.choice.read);
+    }

-	if (request->variableAccessSpecification.present == VariableAccessSpecification_PR_listOfVariable) {
-		MmsServer_lockModel(connection->server);
+    if (request->variableAccessSpecification.present == VariableAccessSpecification_PR_listOfVariable) {
+        MmsServer_lockModel(connection->server);

-		handleReadListOfVariablesRequest(connection, request, invokeId, response);
+        handleReadListOfVariablesRequest(connection, request, invokeId, response);

-		MmsServer_unlockModel(connection->server);
-	}
+        MmsServer_unlockModel(connection->server);
+    }
 #if (MMS_DATA_SET_SERVICE == 1)
-	else if (request->variableAccessSpecification.present == VariableAccessSpecification_PR_variableListName) {
-		MmsServer_lockModel(connection->server);
+    else if (request->variableAccessSpecification.present == VariableAccessSpecification_PR_variableListName) {
+        MmsServer_lockModel(connection->server);

-		handleReadNamedVariableListRequest(connection, request, invokeId, response);
+        handleReadNamedVariableListRequest(connection, request, invokeId, response);

-		MmsServer_unlockModel(connection->server);
-	}
+        MmsServer_unlockModel(connection->server);
+    }
 #endif
-	else {
-		mmsMsg_createServiceErrorPdu(invokeId, response, MMS_ERROR_ACCESS_OBJECT_ACCESS_UNSUPPORTED);
-	}
+    else {
+        mmsMsg_createServiceErrorPdu(invokeId, response, MMS_ERROR_ACCESS_OBJECT_ACCESS_UNSUPPORTED);   
+    }

 exit_function:	
-	asn_DEF_MmsPdu.free_struct(&asn_DEF_MmsPdu, mmsPdu, 0);
+    asn_DEF_MmsPdu.free_struct(&asn_DEF_MmsPdu, mmsPdu, 0);
 }

 void
--- a/src/mms/iso_mms/server/mms_write_service.c
+++ b/src/mms/iso_mms/server/mms_write_service.c
@ -488,22 +488,31 @@ mmsServer_handleWriteRequest(
 		ByteBuffer* response)
 {
    (void)bufPos;
-    (void)maxBufPos;

-	MmsPdu_t* mmsPdu = 0;
+	MmsPdu_t* mmsPdu = NULL;
+    WriteRequest_t* writeRequest = NULL;

 	asn_dec_rval_t rval; /* Decoder return value  */

-	rval = ber_decode(NULL, &asn_DEF_MmsPdu, (void**) &mmsPdu, buffer, CONFIG_MMS_MAXIMUM_PDU_SIZE);
+	rval = ber_decode(NULL, &asn_DEF_MmsPdu, (void**) &mmsPdu, buffer, maxBufPos);

 	if (rval.code != RC_OK) {
 	    mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
 	    goto exit_function;
 	}

-        MmsServer_lockModel(connection->server);
+    if ((mmsPdu->present == MmsPdu_PR_confirmedRequestPdu) && 
+        (mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.present 
+            == ConfirmedServiceRequest_PR_write))
+    {
+         writeRequest = &(mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.choice.write);
+    }
+    else {
+        mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
+	    goto exit_function;
+    }

-	WriteRequest_t* writeRequest = &(mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.choice.write);
+    MmsServer_lockModel(connection->server);

 	if (writeRequest->variableAccessSpecification.present == VariableAccessSpecification_PR_variableListName) {
 	    handleWriteNamedVariableListRequest(connection, writeRequest, invokeId, response);