RYTEC
/
libiec61850
mirror of https://github.com/mz-automation/libiec61850.git
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- fixed unbounded recursion in MmsValue_decodeMmsData (LIB61850-452)

Browse Source
pull/521/head
Michael Zillgith 1 year ago
parent 379d21bfd1
commit cdcb7555cf
2 changed files with 34 additions and 3 deletions
Show Stats Download Patch File Download Diff File

14
src/mms/inc/mms_value.h
Unescape Escape View File

@ -1018,6 +1018,20 @@ MmsValue_printToBuffer(const MmsValue* self, char* buffer, int bufferSize);
LIB61850_API MmsValue* LIB61850_API MmsValue*
MmsValue_decodeMmsData(uint8_t* buffer, int bufPos, int bufferLength, int* endBufPos); MmsValue_decodeMmsData(uint8_t* buffer, int bufPos, int bufferLength, int* endBufPos);
/**
* \brief create a new MmsValue instance from a BER encoded MMS Data element (deserialize) with a defined maximum recursion depth
*
* \param buffer the buffer to read from
* \param bufPos the start position of the mms value data in the buffer
* \param bufferLength the length of the buffer
* \param endBufPos the position in the buffer after the read MMS data element (NULL if not required)
* \param maxDepth the maximum recursion depth
*
* \return the MmsValue instance created from the buffer
*/
LIB61850_API MmsValue*
MmsValue_decodeMmsDataMaxRecursion(uint8_t* buffer, int bufPos, int bufferLength, int* endBufPos, int maxDepth);
/** /**
* \brief Serialize the MmsValue instance as BER encoded MMS Data element * \brief Serialize the MmsValue instance as BER encoded MMS Data element
* *

23
src/mms/iso_mms/server/mms_access_result.c
Unescape Escape View File

@ -152,9 +152,14 @@ exit_with_error:
return -1; return -1;
} }
MmsValue* static MmsValue*
MmsValue_decodeMmsData(uint8_t* buffer, int bufPos, int bufferLength, int* endBufPos) MmsValue_decodeMmsDataRecursive(uint8_t* buffer, int bufPos, int bufferLength, int* endBufPos, int depth, int maxDepth)
{ {
depth++;
if (depth > maxDepth)
return NULL;
MmsValue* value = NULL; MmsValue* value = NULL;
int dataEndBufPos = bufferLength; int dataEndBufPos = bufferLength;
@ -206,7 +211,7 @@ MmsValue_decodeMmsData(uint8_t* buffer, int bufPos, int bufferLength, int* endBu
int elementBufLength = newBufPos - bufPos + elementLength; int elementBufLength = newBufPos - bufPos + elementLength;
MmsValue* elementValue = MmsValue_decodeMmsData(buffer, bufPos, bufPos + elementBufLength, NULL); MmsValue* elementValue = MmsValue_decodeMmsDataRecursive(buffer, bufPos, bufPos + elementBufLength, NULL, depth, maxDepth);
if (elementValue == NULL) if (elementValue == NULL)
goto exit_with_error; goto exit_with_error;
@ -338,6 +343,18 @@ exit_with_error:
return NULL; return NULL;
} }
MmsValue*
MmsValue_decodeMmsDataMaxRecursion(uint8_t* buffer, int bufPos, int bufferLength, int* endBufPos, int maxDepth)
{
return MmsValue_decodeMmsDataRecursive(buffer, bufPos, bufferLength, endBufPos, 0, maxDepth);
}
MmsValue*
MmsValue_decodeMmsData(uint8_t* buffer, int bufPos, int bufferLength, int* endBufPos)
{
return MmsValue_decodeMmsDataMaxRecursion(buffer, bufPos, bufferLength, endBufPos, 25);
}
static int static int
MmsValue_getMaxStructSize(MmsValue* self) MmsValue_getMaxStructSize(MmsValue* self)
{ {

Write Preview
Loading…
Cancel
Save