RYTEC
/
libiec61850
mirror of https://github.com/mz-automation/libiec61850.git
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- fixed potential memory leak in MMS client journal service (LIB61850-451)

Browse Source
pull/521/head
Michael Zillgith 1 year ago
parent ac925fae8e
commit 379d21bfd1
1 changed files with 178 additions and 63 deletions
Show Stats Download Patch File Download Diff File

193
src/mms/iso_mms/client/mms_client_journals.c
Unescape Escape View File

@ -1,7 +1,7 @@
/* /*
* mms_client_journals.c * mms_client_journals.c
* *
* Copyright 2016 Michael Zillgith * Copyright 2016-2024 Michael Zillgith
* *
* This file is part of libIEC61850. * This file is part of libIEC61850.
* *
@ -38,15 +38,16 @@ parseJournalVariable(uint8_t* buffer, int bufPos, int maxLength, MmsJournalVaria
{ {
int maxBufPos = bufPos + maxLength; int maxBufPos = bufPos + maxLength;
while (bufPos < maxBufPos) { while (bufPos < maxBufPos)
{
uint8_t tag = buffer[bufPos++]; uint8_t tag = buffer[bufPos++];
int length; int length;
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) { if (bufPos < 0)
{
if (DEBUG_MMS_CLIENT) if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: invalid length field\n"); printf("MMS_CLIENT: parseReadJournalResponse: invalid length field\n");
@ -56,17 +57,23 @@ parseJournalVariable(uint8_t* buffer, int bufPos, int maxLength, MmsJournalVaria
switch (tag) { switch (tag) {
case 0x80: /* variableTag */ case 0x80: /* variableTag */
if (journalVariable->tag == NULL) { if (journalVariable->tag == NULL)
{
journalVariable->tag = (char*) GLOBAL_MALLOC(length + 1); journalVariable->tag = (char*) GLOBAL_MALLOC(length + 1);
if (journalVariable->tag)
{
memcpy(journalVariable->tag, buffer + bufPos, length); memcpy(journalVariable->tag, buffer + bufPos, length);
journalVariable->tag[length] = 0; journalVariable->tag[length] = 0;
} }
}
break; break;
case 0xa1: /* valueSpec */ case 0xa1: /* valueSpec */
if (journalVariable->value == NULL) { if (journalVariable->value == NULL)
{
journalVariable->value = MmsValue_decodeMmsData(buffer, bufPos, bufPos + length, NULL); journalVariable->value = MmsValue_decodeMmsData(buffer, bufPos, bufPos + length, NULL);
} }
@ -91,30 +98,52 @@ parseJournalVariables(uint8_t* buffer, int bufPos, int maxLength, MmsJournalEntr
{ {
int maxBufPos = bufPos + maxLength; int maxBufPos = bufPos + maxLength;
while (bufPos < maxBufPos) { while (bufPos < maxBufPos)
{
int length; int length;
uint8_t tag = buffer[bufPos++]; uint8_t tag = buffer[bufPos++];
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) { if (bufPos < 0)
{
if (DEBUG_MMS_CLIENT) if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: invalid length field\n"); printf("MMS_CLIENT: parseReadJournalResponse: invalid length field\n");
return false; return false;
} }
MmsJournalVariable journalVariable;
switch (tag) { switch (tag) {
case 0x30: /* journalVariable */ case 0x30: /* journalVariable */
journalVariable = (MmsJournalVariable) MmsJournalVariable journalVariable = (MmsJournalVariable)
GLOBAL_CALLOC(1, sizeof(struct sMmsJournalVariable)); GLOBAL_CALLOC(1, sizeof(struct sMmsJournalVariable));
parseJournalVariable(buffer, bufPos, length, journalVariable); if (journalVariable)
{
if (parseJournalVariable(buffer, bufPos, length, journalVariable))
{
LinkedList_add(journalEntry->journalVariables, (void*) journalVariable); LinkedList_add(journalEntry->journalVariables, (void*) journalVariable);
}
else
{
if (journalVariable->tag)
GLOBAL_FREEMEM(journalVariable->tag);
if (journalVariable->value)
MmsValue_delete(journalVariable->value);
GLOBAL_FREEMEM(journalVariable);
return false;
}
}
else
{
if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: out of memory\n");
return false;
}
break; break;
@ -136,13 +165,14 @@ parseData(uint8_t* buffer, int bufPos, int maxLength, MmsJournalEntry journalEnt
{ {
int maxBufPos = bufPos + maxLength; int maxBufPos = bufPos + maxLength;
while (bufPos < maxBufPos) { while (bufPos < maxBufPos)
{
int length; int length;
uint8_t tag = buffer[bufPos++]; uint8_t tag = buffer[bufPos++];
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) { if (bufPos < 0)
{
if (DEBUG_MMS_CLIENT) if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: invalid length field\n"); printf("MMS_CLIENT: parseReadJournalResponse: invalid length field\n");
@ -151,10 +181,29 @@ parseData(uint8_t* buffer, int bufPos, int maxLength, MmsJournalEntry journalEnt
switch (tag) { switch (tag) {
case 0xa1: /* journalVariables */ case 0xa1: /* journalVariables */
if (journalEntry->journalVariables)
{
if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: duplicate journalVariables\n");
return false;
}
else
{
journalEntry->journalVariables = LinkedList_create(); journalEntry->journalVariables = LinkedList_create();
if (journalEntry->journalVariables == NULL)
{
if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: out of memory\n");
return false;
}
else
{
parseJournalVariables(buffer, bufPos, length, journalEntry); parseJournalVariables(buffer, bufPos, length, journalEntry);
}
}
break; break;
@ -163,7 +212,6 @@ parseData(uint8_t* buffer, int bufPos, int maxLength, MmsJournalEntry journalEnt
default: default:
break; break;
} }
bufPos += length; bufPos += length;
@ -177,13 +225,14 @@ parseEntryContent(uint8_t* buffer, int bufPos, int maxLength, MmsJournalEntry jo
{ {
int maxBufPos = bufPos + maxLength; int maxBufPos = bufPos + maxLength;
while (bufPos < maxBufPos) { while (bufPos < maxBufPos)
{
int length; int length;
uint8_t tag = buffer[bufPos++]; uint8_t tag = buffer[bufPos++];
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) { if (bufPos < 0)
{
if (DEBUG_MMS_CLIENT) if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: invalid length field\n"); printf("MMS_CLIENT: parseReadJournalResponse: invalid length field\n");
@ -192,6 +241,16 @@ parseEntryContent(uint8_t* buffer, int bufPos, int maxLength, MmsJournalEntry jo
switch (tag) { switch (tag) {
case 0x80: /* occurenceTime */ case 0x80: /* occurenceTime */
if (journalEntry->occurenceTime)
{
if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: duplicate occurenceTime\n");
return false;
}
else
{
if (length == 6) if (length == 6)
journalEntry->occurenceTime = MmsValue_newBinaryTime(false); journalEntry->occurenceTime = MmsValue_newBinaryTime(false);
else if (length == 4) else if (length == 4)
@ -200,6 +259,7 @@ parseEntryContent(uint8_t* buffer, int bufPos, int maxLength, MmsJournalEntry jo
break; break;
memcpy(journalEntry->occurenceTime->value.binaryTime.buf, buffer + bufPos, length); memcpy(journalEntry->occurenceTime->value.binaryTime.buf, buffer + bufPos, length);
}
break; break;
@ -230,26 +290,46 @@ parseJournalEntry(uint8_t* buffer, int bufPos, int maxLength, LinkedList journal
int maxBufPos = bufPos + maxLength; int maxBufPos = bufPos + maxLength;
MmsJournalEntry journalEntry = (MmsJournalEntry) GLOBAL_CALLOC(1, sizeof(struct sMmsJournalEntry)); MmsJournalEntry journalEntry = (MmsJournalEntry) GLOBAL_CALLOC(1, sizeof(struct sMmsJournalEntry));
LinkedList_add(journalEntries, (void*) journalEntry);
while (bufPos < maxBufPos) { if (journalEntry == NULL)
{
if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: out of memory\n");
return false;
}
while (bufPos < maxBufPos)
{
int length; int length;
uint8_t tag = buffer[bufPos++]; uint8_t tag = buffer[bufPos++];
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) { if (bufPos < 0)
{
if (DEBUG_MMS_CLIENT) if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: invalid length field\n"); printf("MMS_CLIENT: parseReadJournalResponse: invalid length field\n");
return false; goto exit_error;
} }
switch (tag) { switch (tag)
{
case 0x80: /* entryID */ case 0x80: /* entryID */
if (journalEntry->entryID)
{
if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: duplicate entryID\n");
goto exit_error;
}
else
{
journalEntry->entryID = MmsValue_newOctetString(length, length); journalEntry->entryID = MmsValue_newOctetString(length, length);
if (journalEntry->entryID)
MmsValue_setOctetString(journalEntry->entryID, buffer + bufPos, length); MmsValue_setOctetString(journalEntry->entryID, buffer + bufPos, length);
}
break; break;
case 0xa1: /* originatingApplication */ case 0xa1: /* originatingApplication */
@ -258,7 +338,7 @@ parseJournalEntry(uint8_t* buffer, int bufPos, int maxLength, LinkedList journal
case 0xa2: /* entryContent */ case 0xa2: /* entryContent */
if (parseEntryContent(buffer, bufPos, length, journalEntry) == false) if (parseEntryContent(buffer, bufPos, length, journalEntry) == false)
return false; goto exit_error;
break; break;
@ -269,13 +349,21 @@ parseJournalEntry(uint8_t* buffer, int bufPos, int maxLength, LinkedList journal
if (DEBUG_MMS_CLIENT) if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: unknown tag %02x\n", tag); printf("MMS_CLIENT: parseReadJournalResponse: unknown tag %02x\n", tag);
return false; goto exit_error;
} }
bufPos += length; bufPos += length;
} }
LinkedList_add(journalEntries, (void*) journalEntry);
return true; return true;
exit_error:
MmsJournalEntry_destroy(journalEntry);
return false;
} }
static bool static bool
@ -283,14 +371,14 @@ parseListOfJournalEntries(uint8_t* buffer, int bufPos, int maxLength, LinkedList
{ {
int maxBufPos = bufPos + maxLength; int maxBufPos = bufPos + maxLength;
while (bufPos < maxBufPos)
while (bufPos < maxBufPos) { {
int length; int length;
uint8_t tag = buffer[bufPos++]; uint8_t tag = buffer[bufPos++];
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) { if (bufPos < 0)
{
if (DEBUG_MMS_CLIENT) if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: parseReadJournalResponse: invalid length field\n"); printf("MMS_CLIENT: parseReadJournalResponse: invalid length field\n");
@ -322,8 +410,6 @@ parseListOfJournalEntries(uint8_t* buffer, int bufPos, int maxLength, LinkedList
bool bool
mmsClient_parseReadJournalResponse(ByteBuffer* response, int respBufPos, bool* moreFollows, LinkedList* result) mmsClient_parseReadJournalResponse(ByteBuffer* response, int respBufPos, bool* moreFollows, LinkedList* result)
{ {
uint8_t* buffer = ByteBuffer_getBuffer(response); uint8_t* buffer = ByteBuffer_getBuffer(response);
int maxBufPos = ByteBuffer_getSize(response); int maxBufPos = ByteBuffer_getSize(response);
int bufPos = respBufPos; int bufPos = respBufPos;
@ -331,7 +417,8 @@ mmsClient_parseReadJournalResponse(ByteBuffer* response, int respBufPos, bool* m
uint8_t tag = buffer[bufPos++]; uint8_t tag = buffer[bufPos++];
if (tag != 0xbf) { if (tag != 0xbf)
{
if (DEBUG_MMS_CLIENT) if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: mmsClient_parseReadJournalResponse: unknown tag %02x\n", tag); printf("MMS_CLIENT: mmsClient_parseReadJournalResponse: unknown tag %02x\n", tag);
return false; return false;
@ -342,7 +429,8 @@ mmsClient_parseReadJournalResponse(ByteBuffer* response, int respBufPos, bool* m
if (moreFollows) if (moreFollows)
*moreFollows = false; *moreFollows = false;
if (tag != 0x41) { if (tag != 0x41)
{
if (DEBUG_MMS_CLIENT) if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: mmsClient_parseReadJournalResponse: unknown tag %02x\n", tag); printf("MMS_CLIENT: mmsClient_parseReadJournalResponse: unknown tag %02x\n", tag);
return false; return false;
@ -355,17 +443,43 @@ mmsClient_parseReadJournalResponse(ByteBuffer* response, int respBufPos, bool* m
LinkedList journalEntries = NULL; LinkedList journalEntries = NULL;
while (bufPos < endPos) { while (bufPos < endPos)
{
tag = buffer[bufPos++]; tag = buffer[bufPos++];
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) return false; if (bufPos < 0) return false;
switch (tag) { switch (tag) {
case 0xa0: /* listOfJournalEntry */ case 0xa0: /* listOfJournalEntry */
if (journalEntries)
{
if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: mmsClient_parseReadJournalResponse: duplicate listOfJournalEntry\n");
LinkedList_destroyDeep(journalEntries, (LinkedListValueDeleteFunction) MmsJournalEntry_destroy);
return false;
}
else
{
journalEntries = LinkedList_create(); journalEntries = LinkedList_create();
if (journalEntries)
{
if (!parseListOfJournalEntries(buffer, bufPos, length, journalEntries)) if (!parseListOfJournalEntries(buffer, bufPos, length, journalEntries))
{
LinkedList_destroyDeep(journalEntries, (LinkedListValueDeleteFunction) MmsJournalEntry_destroy);
return false; return false;
}
}
else
{
return false;
}
}
break; break;
case 0x81: /* moreFollows */ case 0x81: /* moreFollows */
@ -380,6 +494,8 @@ mmsClient_parseReadJournalResponse(ByteBuffer* response, int respBufPos, bool* m
if (DEBUG_MMS_CLIENT) if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: mmsClient_parseReadJournalResponse: message contains unknown tag %02x!\n", tag); printf("MMS_CLIENT: mmsClient_parseReadJournalResponse: message contains unknown tag %02x!\n", tag);
LinkedList_destroyDeep(journalEntries, (LinkedListValueDeleteFunction) MmsJournalEntry_destroy);
return false; return false;
} }
@ -524,4 +640,3 @@ mmsClient_createReadJournalRequestStartAfter(uint32_t invokeId, ByteBuffer* requ
request->size = bufPos; request->size = bufPos;
} }

Write Preview
Loading…
Cancel
Save