stv0g
/
libiec61850
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

- MMS: added more length checks in parsers for file services

This commit is contained in:
Michael Zillgith 2017-10-28 13:13:13 +02:00
parent cd8f5f483d
commit 5fb8c5b984
3 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/mms/iso_mms/client/mms_client_files.c
View File

@ -98,6 +98,8 @@ mmsClient_handleFileOpenRequest(
if (bufPos < 0) goto exit_reject_invalid_pdu;
if (bufPos + length > maxBufPos) goto exit_reject_invalid_pdu;
switch(tag) {
case 0xa0: /* filename */

6
src/mms/iso_mms/common/mms_common_msg.c
View File

@ -377,14 +377,18 @@ mmsMsg_openFile(const char* basepath, char* fileName, bool readWrite)
bool
mmsMsg_parseFileName(char* filename, uint8_t* buffer, int* bufPos, int maxBufPos , uint32_t invokeId, ByteBuffer* response)
{
if (*bufPos == maxBufPos)
return false;
uint8_t tag = buffer[(*bufPos)++];
int length;
if (tag != 0x19) {
mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
return false;
}
int length;
*bufPos = BerDecoder_decodeLength(buffer, &length, *bufPos, maxBufPos);
if (*bufPos < 0) {

8
src/mms/iso_mms/server/mms_file_service.c
View File

@ -316,6 +316,8 @@ mmsServer_handleFileOpenRequest(
if (bufPos < 0) goto exit_reject_invalid_pdu;
if (bufPos + length > maxBufPos) goto exit_reject_invalid_pdu;
switch(tag) {
case 0xa0: /* filename */
@ -575,6 +577,8 @@ mmsServer_handleObtainFileRequest(
if (bufPos < 0) goto exit_reject_invalid_pdu;
if (bufPos + length > maxBufPos) goto exit_reject_invalid_pdu;
switch(tag) {
case 0xa1: /* source filename */
@ -987,7 +991,7 @@ mmsServer_handleFileRenameRequest(
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) {
if ((bufPos < 0) || (bufPos + length > maxBufPos)) {
mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
return;
}
@ -1071,7 +1075,7 @@ mmsServer_handleFileDirectoryRequest(
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
if (bufPos < 0) {
if ((bufPos < 0) || (bufPos + length > maxBufPos)) {
mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
return;
}