From 5fb8c5b9845e4d551d4f587519e8691098a4f095 Mon Sep 17 00:00:00 2001
From: Michael Zillgith <michael.zillgith@mz-automation.de>
Date: Sat, 28 Oct 2017 13:13:13 +0200
Subject: [PATCH] - MMS: added more length checks in parsers for file services

---
 src/mms/iso_mms/client/mms_client_files.c | 2 ++
 src/mms/iso_mms/common/mms_common_msg.c   | 6 +++++-
 src/mms/iso_mms/server/mms_file_service.c | 8 ++++++--
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/mms/iso_mms/client/mms_client_files.c b/src/mms/iso_mms/client/mms_client_files.c
index 19cfed8..1eb7989 100644
--- a/src/mms/iso_mms/client/mms_client_files.c
+++ b/src/mms/iso_mms/client/mms_client_files.c
@@ -98,6 +98,8 @@ mmsClient_handleFileOpenRequest(
 
         if (bufPos < 0) goto exit_reject_invalid_pdu;
 
+        if (bufPos + length > maxBufPos) goto exit_reject_invalid_pdu;
+
         switch(tag) {
         case 0xa0: /* filename */
 
diff --git a/src/mms/iso_mms/common/mms_common_msg.c b/src/mms/iso_mms/common/mms_common_msg.c
index 55da14d..75443e7 100644
--- a/src/mms/iso_mms/common/mms_common_msg.c
+++ b/src/mms/iso_mms/common/mms_common_msg.c
@@ -377,14 +377,18 @@ mmsMsg_openFile(const char* basepath, char* fileName, bool readWrite)
 bool
 mmsMsg_parseFileName(char* filename, uint8_t* buffer, int* bufPos, int maxBufPos , uint32_t invokeId, ByteBuffer* response)
 {
+    if (*bufPos == maxBufPos)
+        return false;
+
     uint8_t tag = buffer[(*bufPos)++];
-    int length;
 
     if (tag != 0x19) {
       mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
       return false;
     }
 
+    int length;
+
     *bufPos = BerDecoder_decodeLength(buffer, &length, *bufPos, maxBufPos);
 
     if (*bufPos < 0)  {
diff --git a/src/mms/iso_mms/server/mms_file_service.c b/src/mms/iso_mms/server/mms_file_service.c
index 42feced..a9f9b7c 100644
--- a/src/mms/iso_mms/server/mms_file_service.c
+++ b/src/mms/iso_mms/server/mms_file_service.c
@@ -316,6 +316,8 @@ mmsServer_handleFileOpenRequest(
 
         if (bufPos < 0) goto exit_reject_invalid_pdu;
 
+        if (bufPos + length > maxBufPos) goto exit_reject_invalid_pdu;
+
         switch(tag) {
         case 0xa0: /* filename */
 
@@ -575,6 +577,8 @@ mmsServer_handleObtainFileRequest(
 
         if (bufPos < 0) goto exit_reject_invalid_pdu;
 
+        if (bufPos + length > maxBufPos) goto exit_reject_invalid_pdu;
+
         switch(tag) {
 
         case 0xa1: /* source filename */
@@ -987,7 +991,7 @@ mmsServer_handleFileRenameRequest(
 
         bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
 
-        if (bufPos < 0)  {
+        if ((bufPos < 0) || (bufPos + length > maxBufPos)) {
             mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
             return;
         }
@@ -1071,7 +1075,7 @@ mmsServer_handleFileDirectoryRequest(
 
         bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
 
-        if (bufPos < 0)  {
+        if ((bufPos < 0) || (bufPos + length > maxBufPos)) {
             mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
             return;
         }