RYTEC
/
libiec61850
mirror of https://github.com/mz-automation/libiec61850.git
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- fixed potential buffer overflows in MMS client file service handling (LIB61850-449)

Browse Source
v1.5
Michael Zillgith 1 year ago
parent 3c29e85b00
commit 3bc94bf1bd
1 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File

23
src/mms/iso_mms/client/mms_client_files.c
Unescape Escape View File

@ -487,8 +487,13 @@ parseFileAttributes(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t* fileSi
break;
case 0x81: /* lastModified */
{
if (lastModified != NULL) {
if (lastModified != NULL)
{
char gtString[40];
if (length > sizeof(gtString) - 1)
return false; /* lastModified string too long */
memcpy(gtString, buffer + bufPos, length);
gtString[length] = 0;
*lastModified = Conversions_generalizedTimeToMsTime(gtString);
@ -515,12 +520,14 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
uint32_t fileSize = 0;
uint64_t lastModified = 0;
while (bufPos < maxBufPos) {
while (bufPos < maxBufPos)
{
uint8_t tag = buffer[bufPos++];
int length;
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) {
if (bufPos < 0)
{
if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: invalid length field\n");
return false;
@ -534,12 +541,20 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
tag = buffer[bufPos++];
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) {
if (bufPos < 0)
{
if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: invalid length field\n");
return false;
}
if (length > (sizeof(fileNameMemory) - 1))
{
if (DEBUG_MMS_CLIENT)
printf("MMS_CLIENT: filename too long\n");
return false;
}
memcpy(filename, buffer + bufPos, length);
filename[length] = 0;

Write Preview
Loading…
Cancel
Save