There is a hack to know the type of an integer
and do an explicit cast in the python script
generating the C file
Also extends some bounds check against negative values
*len -= 4;
{% elif field.type == "bytearray" %}
{% if field.len_from_prefix %}
*len -= 4;
{% elif field.type == "bytearray" %}
{% if field.len_from_prefix %}
- object->{{field.len_field}} = prefix - (offset - *len);
+ if (prefix < (offset - *len)) {
+ goto error;
+ }
+ object->{{field.len_field}} = (uint16_t) (prefix - (offset - *len));
{% endif %}
if (object->{{field.len_field}} > 0) {
if (*len < object->{{field.len_field}}) {
{% endif %}
if (object->{{field.len_field}} > 0) {
if (*len < object->{{field.len_field}}) {
}
{% elif field.type == "chararray" %}
{% if field.len_from_prefix %}
}
{% elif field.type == "chararray" %}
{% if field.len_from_prefix %}
- if (prefix - (offset - *len) >= {{field.size}}) {
+ if (prefix - (offset - *len) >= {{field.size}} || prefix < (offset - *len)) {
- object->{{field.len_field}} = prefix - (offset - *len);
+{% if field.size == 255 %}
+ object->{{field.len_field}} = (uint8_t) (prefix - (offset - *len));
+{% else %}
+ object->{{field.len_field}} = (uint16_t) (prefix - (offset - *len));
+{% endif %}
{% endif %}
if (object->{{field.len_field}} > 0) {
if (*len < object->{{field.len_field}}) {
{% endif %}
if (object->{{field.len_field}} > 0) {
if (*len < object->{{field.len_field}}) {
if (!DNP3ReadUint8(buf, len, &object->status_code)) {
goto error;
}
if (!DNP3ReadUint8(buf, len, &object->status_code)) {
goto error;
}
- if (prefix - (offset - *len) >= 255) {
+ if (prefix - (offset - *len) >= 255 || prefix < (offset - *len)) {
- object->optional_text_len = prefix - (offset - *len);
+ object->optional_text_len = (uint8_t)(prefix - (offset - *len));
if (object->optional_text_len > 0) {
if (*len < object->optional_text_len) {
/* Not enough data. */
if (object->optional_text_len > 0) {
if (*len < object->optional_text_len) {
/* Not enough data. */
if (!DNP3ReadUint32(buf, len, &object->block_number)) {
goto error;
}
if (!DNP3ReadUint32(buf, len, &object->block_number)) {
goto error;
}
- if (prefix - (offset - *len) >= 255) {
+ if (prefix - (offset - *len) >= 255 || prefix < (offset - *len)) {
- object->file_data_len = prefix - (offset - *len);
+ object->file_data_len = (uint8_t)(prefix - (offset - *len));
if (object->file_data_len > 0) {
if (*len < object->file_data_len) {
/* Not enough data. */
if (object->file_data_len > 0) {
if (*len < object->file_data_len) {
/* Not enough data. */
if (!DNP3ReadUint8(buf, len, &object->status_code)) {
goto error;
}
if (!DNP3ReadUint8(buf, len, &object->status_code)) {
goto error;
}
- if (prefix - (offset - *len) >= 255) {
+ if (prefix - (offset - *len) >= 255 || prefix < (offset - *len)) {
- object->optional_text_len = prefix - (offset - *len);
+ object->optional_text_len = (uint8_t)(prefix - (offset - *len));
if (object->optional_text_len > 0) {
if (*len < object->optional_text_len) {
/* Not enough data. */
if (object->optional_text_len > 0) {
if (*len < object->optional_text_len) {
/* Not enough data. */
- if (prefix - (offset - *len) >= 65535) {
+ if (prefix - (offset - *len) >= 65535 || prefix < (offset - *len)) {
- object->file_specification_len = prefix - (offset - *len);
+ object->file_specification_len = (uint16_t)(prefix - (offset - *len));
if (object->file_specification_len > 0) {
if (*len < object->file_specification_len) {
/* Not enough data. */
if (object->file_specification_len > 0) {
if (*len < object->file_specification_len) {
/* Not enough data. */
if (!DNP3ReadUint8(buf, len, &object->reason)) {
goto error;
}
if (!DNP3ReadUint8(buf, len, &object->reason)) {
goto error;
}
- object->challenge_data_len = prefix - (offset - *len);
+ if (prefix < (offset - *len)) {
+ goto error;
+ }
+ object->challenge_data_len = (uint16_t)(prefix - (offset - *len));
if (object->challenge_data_len > 0) {
if (*len < object->challenge_data_len) {
/* Not enough data. */
if (object->challenge_data_len > 0) {
if (*len < object->challenge_data_len) {
/* Not enough data. */
if (!DNP3ReadUint16(buf, len, &object->usr)) {
goto error;
}
if (!DNP3ReadUint16(buf, len, &object->usr)) {
goto error;
}
- object->mac_value_len = prefix - (offset - *len);
+ if (prefix < (offset - *len)) {
+ goto error;
+ }
+ object->mac_value_len = (uint16_t)(prefix - (offset - *len));
if (object->mac_value_len > 0) {
if (*len < object->mac_value_len) {
/* Not enough data. */
if (object->mac_value_len > 0) {
if (*len < object->mac_value_len) {
/* Not enough data. */
*buf += object->challenge_data_len;
*len -= object->challenge_data_len;
}
*buf += object->challenge_data_len;
*len -= object->challenge_data_len;
}
- object->mac_value_len = prefix - (offset - *len);
+ if (prefix < (offset - *len)) {
+ goto error;
+ }
+ object->mac_value_len = (uint16_t)(prefix - (offset - *len));
if (object->mac_value_len > 0) {
if (*len < object->mac_value_len) {
/* Not enough data. */
if (object->mac_value_len > 0) {
if (*len < object->mac_value_len) {
/* Not enough data. */
if (!DNP3ReadUint16(buf, len, &object->usr)) {
goto error;
}
if (!DNP3ReadUint16(buf, len, &object->usr)) {
goto error;
}
- object->wrapped_key_data_len = prefix - (offset - *len);
+ if (prefix < (offset - *len)) {
+ goto error;
+ }
+ object->wrapped_key_data_len = (uint16_t)(prefix - (offset - *len));
if (object->wrapped_key_data_len > 0) {
if (*len < object->wrapped_key_data_len) {
/* Not enough data. */
if (object->wrapped_key_data_len > 0) {
if (*len < object->wrapped_key_data_len) {
/* Not enough data. */
if (!DNP3ReadUint48(buf, len, &object->time_of_error)) {
goto error;
}
if (!DNP3ReadUint48(buf, len, &object->time_of_error)) {
goto error;
}
- if (prefix - (offset - *len) >= 65535) {
+ if (prefix - (offset - *len) >= 65535 || prefix < (offset - *len)) {
- object->error_text_len = prefix - (offset - *len);
+ object->error_text_len = (uint16_t)(prefix - (offset - *len));
if (object->error_text_len > 0) {
if (*len < object->error_text_len) {
/* Not enough data. */
if (object->error_text_len > 0) {
if (*len < object->error_text_len) {
/* Not enough data. */
if (!DNP3ReadUint8(buf, len, &object->certificate_type)) {
goto error;
}
if (!DNP3ReadUint8(buf, len, &object->certificate_type)) {
goto error;
}
- object->certificate_len = prefix - (offset - *len);
+ if (prefix < (offset - *len)) {
+ goto error;
+ }
+ object->certificate_len = (uint16_t)(prefix - (offset - *len));
if (object->certificate_len > 0) {
if (*len < object->certificate_len) {
/* Not enough data. */
if (object->certificate_len > 0) {
if (*len < object->certificate_len) {
/* Not enough data. */
- object->mac_value_len = prefix - (offset - *len);
+ if (prefix < (offset - *len)) {
+ goto error;
+ }
+ object->mac_value_len = (uint16_t)(prefix - (offset - *len));
if (object->mac_value_len > 0) {
if (*len < object->mac_value_len) {
/* Not enough data. */
if (object->mac_value_len > 0) {
if (*len < object->mac_value_len) {
/* Not enough data. */
- object->digital_signature_len = prefix - (offset - *len);
+ if (prefix < (offset - *len)) {
+ goto error;
+ }
+ object->digital_signature_len = (uint16_t)(prefix - (offset - *len));
if (object->digital_signature_len > 0) {
if (*len < object->digital_signature_len) {
/* Not enough data. */
if (object->digital_signature_len > 0) {
if (*len < object->digital_signature_len) {
/* Not enough data. */
- object->mac_len = prefix - (offset - *len);
+ if (prefix < (offset - *len)) {
+ goto error;
+ }
+ object->mac_len = (uint16_t)(prefix - (offset - *len));
if (object->mac_len > 0) {
if (*len < object->mac_len) {
/* Not enough data. */
if (object->mac_len > 0) {
if (*len < object->mac_len) {
/* Not enough data. */
-/* Some DNP3 servers start with a banner. */
-static const char banner[] = "DNP3";
-
/* Calculate the next transport sequence number. */
#define NEXT_TH_SEQNO(current) ((current + 1) % DNP3_MAX_TRAN_SEQNO)
/* Calculate the next transport sequence number. */
#define NEXT_TH_SEQNO(current) ((current + 1) % DNP3_MAX_TRAN_SEQNO)
header->start_byte1 == DNP3_START_BYTE1;
}
header->start_byte1 == DNP3_START_BYTE1;
}
+/* Some DNP3 servers start with a banner. */
+#define DNP3_BANNER "DNP3"
+
/**
* \brief Check if a frame contains a banner.
*
/**
* \brief Check if a frame contains a banner.
*
*/
static int DNP3ContainsBanner(const uint8_t *input, uint32_t len)
{
*/
static int DNP3ContainsBanner(const uint8_t *input, uint32_t len)
{
- return BasicSearch(input, len, (uint8_t *)banner, strlen(banner)) != NULL;
+ return BasicSearch(input, len, (uint8_t *)DNP3_BANNER, strlen(DNP3_BANNER)) != NULL;