- ACSE: fixed out-of-bounds read in parseAarqPdu function (LIB61850-441)(#512)

1 year ago · 501dffe6d0
parent ac17349053
commit 501dffe6d0
1 changed files with 6 additions and 2 deletions
--- a/src/mms/iso_acse/acse.c
+++ b/src/mms/iso_acse/acse.c
@ -263,13 +263,17 @@ parseAarqPdu(AcseConnection* self, uint8_t* buffer, int bufPos, int maxBufPos)
    int authMechLen = 0;
    bool userInfoValid = false;

-    while (bufPos < maxBufPos) {
+    while (bufPos < maxBufPos)
+    {
        uint8_t tag = buffer[bufPos++];
        int len;

        bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, maxBufPos);

-        if (bufPos < 0) {
+        if (len == 0)
+            continue;
+
+        if ((bufPos < 0) || (bufPos + len > maxBufPos)) {
            if (DEBUG_ACSE)
                printf("ACSE: Invalid PDU!\n");
            return ACSE_ASSOCIATE_FAILED;