- MMS client: improved handling of malformed messages when receiving reports

- MMS client: fixed potential memory leak when receiving malformed messages
7 years ago · 233cd20fd0
parent 0d49e8c1d2
commit 233cd20fd0
4 changed files with 56 additions and 35 deletions
--- a/src/iec61850/client/client_report.c
+++ b/src/iec61850/client/client_report.c
@ -43,6 +43,8 @@ struct sClientReport
    char* dataSetName;
    int dataSetNameSize; /* size of the dataSetName buffer */
    int dataSetSize;
    MmsValue* entryId;
    MmsValue* dataReferences;
    MmsValue* dataSetValues;
@ -93,6 +95,8 @@ ClientReport_create()
 {
    ClientReport self = (ClientReport) GLOBAL_CALLOC(1, sizeof(struct sClientReport));
    self->dataSetSize = -1;
    return self;
 }
@ -607,6 +611,18 @@ private_IedConnection_handleReport(IedConnection self, MmsValue* value)
    int dataSetSize = MmsValue_getBitStringSize(inclusion);
    if (matchingReport->dataSetSize == -1) {
        matchingReport->dataSetSize = dataSetSize;
    }
    else {
        if (dataSetSize != matchingReport->dataSetSize) {
            if (DEBUG_IED_CLIENT)
                printf("IED_CLIENT: received malformed report (inclusion has no plausible size)\n");
            goto exit_function;
        }
    }
    int includedElements = MmsValue_getNumberOfSetBits(inclusion);
    if (DEBUG_IED_CLIENT)
--- a/src/iec61850/client/ied_connection.c
+++ b/src/iec61850/client/ied_connection.c
@ -437,6 +437,7 @@ informationReportHandler(void* parameter, char* domainName,
    if (DEBUG_IED_CLIENT)
        printf("DEBUG_IED_CLIENT: received information report for %s\n", variableListName);
    if (value) {
        if (domainName == NULL) {
            if (isVariableListName) {
@ -470,6 +471,7 @@ informationReportHandler(void* parameter, char* domainName,
        }
        MmsValue_delete(value);
    }
 }
 static IedConnection
--- a/src/mms/iso_mms/client/mms_client_get_var_access.c
+++ b/src/mms/iso_mms/client/mms_client_get_var_access.c
@ -138,8 +138,7 @@ mmsClient_parseGetVariableAccessAttributesResponse(ByteBuffer* message, uint32_t
    asn_dec_rval_t rval = ber_decode(NULL, &asn_DEF_MmsPdu,
            (void**) &mmsPdu, ByteBuffer_getBuffer(message), ByteBuffer_getSize(message));
-    if (rval.code != RC_OK)
+    if (rval.code == RC_OK) {
        return NULL;
        if (mmsPdu->present == MmsPdu_PR_confirmedResponsePdu) {
@ -157,6 +156,7 @@ mmsClient_parseGetVariableAccessAttributesResponse(ByteBuffer* message, uint32_t
                typeSpec = createTypeSpecification(asnTypeSpec);
            }
        }
    }
    asn_DEF_MmsPdu.free_struct(&asn_DEF_MmsPdu, mmsPdu, 0);
--- a/src/mms/iso_mms/common/mms_value.c
+++ b/src/mms/iso_mms/common/mms_value.c
@ -1190,6 +1190,9 @@ MmsValue_deleteIfNotNull(MmsValue* self)
 void
 MmsValue_delete(MmsValue* self)
 {
    if (self == NULL)
        return;
    switch (self->type)
    {
    case MMS_INTEGER: