RYTEC
/
libiec61850
mirror of https://github.com/mz-automation/libiec61850.git
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- MMS: added more length checks in parsers for file services

Browse Source
pull/30/head
Michael Zillgith 8 years ago
parent cd8f5f483d
commit 5fb8c5b984
3 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File

2
src/mms/iso_mms/client/mms_client_files.c
Unescape Escape View File

@ -98,6 +98,8 @@ mmsClient_handleFileOpenRequest(
if (bufPos < 0) goto exit_reject_invalid_pdu; if (bufPos < 0) goto exit_reject_invalid_pdu;
if (bufPos + length > maxBufPos) goto exit_reject_invalid_pdu;
switch(tag) { switch(tag) {
case 0xa0: /* filename */ case 0xa0: /* filename */

6
src/mms/iso_mms/common/mms_common_msg.c
Unescape Escape View File

@ -377,14 +377,18 @@ mmsMsg_openFile(const char* basepath, char* fileName, bool readWrite)
bool bool
mmsMsg_parseFileName(char* filename, uint8_t* buffer, int* bufPos, int maxBufPos , uint32_t invokeId, ByteBuffer* response) mmsMsg_parseFileName(char* filename, uint8_t* buffer, int* bufPos, int maxBufPos , uint32_t invokeId, ByteBuffer* response)
{ {
if (*bufPos == maxBufPos)
return false;
uint8_t tag = buffer[(*bufPos)++]; uint8_t tag = buffer[(*bufPos)++];
int length;
if (tag != 0x19) { if (tag != 0x19) {
mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response); mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
return false; return false;
} }
int length;
*bufPos = BerDecoder_decodeLength(buffer, &length, *bufPos, maxBufPos); *bufPos = BerDecoder_decodeLength(buffer, &length, *bufPos, maxBufPos);
if (*bufPos < 0) { if (*bufPos < 0) {

8
src/mms/iso_mms/server/mms_file_service.c
Unescape Escape View File

@ -316,6 +316,8 @@ mmsServer_handleFileOpenRequest(
if (bufPos < 0) goto exit_reject_invalid_pdu; if (bufPos < 0) goto exit_reject_invalid_pdu;
if (bufPos + length > maxBufPos) goto exit_reject_invalid_pdu;
switch(tag) { switch(tag) {
case 0xa0: /* filename */ case 0xa0: /* filename */
@ -575,6 +577,8 @@ mmsServer_handleObtainFileRequest(
if (bufPos < 0) goto exit_reject_invalid_pdu; if (bufPos < 0) goto exit_reject_invalid_pdu;
if (bufPos + length > maxBufPos) goto exit_reject_invalid_pdu;
switch(tag) { switch(tag) {
case 0xa1: /* source filename */ case 0xa1: /* source filename */
@ -987,7 +991,7 @@ mmsServer_handleFileRenameRequest(
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) { if ((bufPos < 0) || (bufPos + length > maxBufPos)) {
mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response); mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
return; return;
} }
@ -1071,7 +1075,7 @@ mmsServer_handleFileDirectoryRequest(
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) { if ((bufPos < 0) || (bufPos + length > maxBufPos)) {
mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response); mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
return; return;
} }

Write Preview
Loading…
Cancel
Save