From 32087c47dea6a551610bed3dec7cb94d7d89e5ac Mon Sep 17 00:00:00 2001 From: Michael Zillgith Date: Thu, 23 Dec 2021 09:28:05 +0100 Subject: [PATCH] - fix - server crashes when presentation message has no user data (LIB61850-291)(#368) --- src/mms/iso_presentation/iso_presentation.c | 18 ++++++++++++++++++ src/mms/iso_server/iso_connection.c | 4 ++++ 2 files changed, 22 insertions(+) diff --git a/src/mms/iso_presentation/iso_presentation.c b/src/mms/iso_presentation/iso_presentation.c index ca0e7ee1..c48c4a87 100644 --- a/src/mms/iso_presentation/iso_presentation.c +++ b/src/mms/iso_presentation/iso_presentation.c @@ -398,10 +398,18 @@ parseNormalModeParameters(IsoPresentation* self, uint8_t* buffer, int totalLengt self->calledPresentationSelector.size = 0; self->callingPresentationSelector.size = 0; + bool hasUserData = false; + while (bufPos < endPos) { uint8_t tag = buffer[bufPos++]; int len; + if (bufPos == endPos) { + if (DEBUG_PRES) + printf("PRES: invalid message\n"); + return -1; + } + bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, endPos); if (bufPos < 0) { @@ -458,6 +466,9 @@ parseNormalModeParameters(IsoPresentation* self, uint8_t* buffer, int totalLengt if (bufPos < 0) return -1; + if (self->nextPayload.size > 0) + hasUserData = true; + break; case 0x00: /* indefinite length end tag -> ignore */ @@ -471,6 +482,13 @@ parseNormalModeParameters(IsoPresentation* self, uint8_t* buffer, int totalLengt } } + if (hasUserData == false) { + if (DEBUG_PRES) + printf("PRES: user-data is missing\n"); + + return -1; + } + return bufPos; } diff --git a/src/mms/iso_server/iso_connection.c b/src/mms/iso_server/iso_connection.c index 7e2a5b3f..5f1b7b5f 100644 --- a/src/mms/iso_server/iso_connection.c +++ b/src/mms/iso_server/iso_connection.c @@ -308,6 +308,10 @@ IsoConnection_handleTcpConnection(IsoConnection self, bool isSingleThread) } } + else { + self->state = ISO_CON_STATE_STOPPED; + } + break; case SESSION_DATA: if (DEBUG_ISO_SERVER)