From ac925fae8e281ac6defcd630e9dd756264e9c5bc Mon Sep 17 00:00:00 2001
From: Michael Zillgith <michael.zillgith@mz-automation.de>
Date: Tue, 23 Jul 2024 18:50:15 +0100
Subject: [PATCH] - fixed potential buffer overflows in MMS client file service
 handling (LIB61850-449)

---
 src/mms/iso_mms/client/mms_client_files.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/mms/iso_mms/client/mms_client_files.c b/src/mms/iso_mms/client/mms_client_files.c
index 5ea8fb01..0d8d5006 100644
--- a/src/mms/iso_mms/client/mms_client_files.c
+++ b/src/mms/iso_mms/client/mms_client_files.c
@@ -484,8 +484,13 @@ parseFileAttributes(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t* fileSi
             break;
         case 0x81: /* lastModified */
             {
-                if (lastModified != NULL) {
+                if (lastModified != NULL)
+                {
                     char gtString[40];
+
+                    if (length > sizeof(gtString) - 1)
+                        return false; /* lastModified string too long */
+
                     memcpy(gtString, buffer + bufPos, length);
                     gtString[length] = 0;
                     *lastModified = Conversions_generalizedTimeToMsTime(gtString);
@@ -512,12 +517,14 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
     uint32_t fileSize = 0;
     uint64_t lastModified = 0;
 
-    while (bufPos < maxBufPos) {
+    while (bufPos < maxBufPos)
+    {
         uint8_t tag = buffer[bufPos++];
         int length;
 
         bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
-        if (bufPos < 0) {
+        if (bufPos < 0)
+        {
             if (DEBUG_MMS_CLIENT)
                 printf("MMS_CLIENT: invalid length field\n");
             return false;
@@ -531,12 +538,20 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
             tag = buffer[bufPos++];
 
             bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
-            if (bufPos < 0) {
+            if (bufPos < 0)
+            {
                 if (DEBUG_MMS_CLIENT)
                     printf("MMS_CLIENT: invalid length field\n");
                 return false;
             }
 
+            if (length > (sizeof(fileNameMemory) - 1))
+            {
+                if (DEBUG_MMS_CLIENT)
+                    printf("MMS_CLIENT: filename too long\n");
+                return false;
+            }
+
             memcpy(filename, buffer + bufPos, length);
             filename[length] = 0;