- ACSE: fixed out-of-bound read in parseAarqPdu/parseAarePdu functions (#512)(#513)(LIB61850-441)(LIB61850-442)

1 year ago · 7d4614ad54
parent c62287c7c3
commit 7d4614ad54
1 changed files with 21 additions and 2 deletions
--- a/src/mms/iso_acse/acse.c
+++ b/src/mms/iso_acse/acse.c
@ -190,10 +190,18 @@ parseAarePdu(AcseConnection* self, uint8_t* buffer, int bufPos, int maxBufPos)

        bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, maxBufPos);

+        if (bufPos < 0)
+        {
+            if (DEBUG_ACSE)
+                printf("ACSE: Invalid PDU!\n");
+            return ACSE_ERROR;
+        }
+
        if (len == 0)
            continue;

-        if ((bufPos < 0) || (bufPos + len > maxBufPos)) {
+        if (bufPos + len > maxBufPos)
+        {
            if (DEBUG_ACSE)
                printf("ACSE: Invalid PDU!\n");
            return ACSE_ERROR;
@ -279,7 +287,18 @@ parseAarqPdu(AcseConnection* self, uint8_t* buffer, int bufPos, int maxBufPos)

        bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, maxBufPos);

-        if (bufPos < 0) {
+        if (bufPos < 0)
+        {
+            if (DEBUG_ACSE)
+                printf("ACSE: Invalid PDU!\n");
+            return ACSE_ASSOCIATE_FAILED;
+        }
+
+        if (len == 0)
+            continue;
+
+        if (bufPos + len > maxBufPos)
+        {
            if (DEBUG_ACSE)
                printf("ACSE: Invalid PDU!\n");
            return ACSE_ASSOCIATE_FAILED;