dnp3: adds bounds check for prefix chararray

author Philippe Antoine <contact@catenacyber.fr>

Thu, 8 Jul 2021 13:01:15 +0000 (15:01 +0200)

committer Jeff Lucovsky <jeff@lucovsky.org>

Fri, 17 Sep 2021 17:34:32 +0000 (13:34 -0400)
author Philippe Antoine <contact@catenacyber.fr>
Thu, 8 Jul 2021 13:01:15 +0000 (15:01 +0200)
committer Jeff Lucovsky <jeff@lucovsky.org>
Fri, 17 Sep 2021 17:34:32 +0000 (13:34 -0400)
diff --git a/scripts/dnp3-gen/dnp3-gen.py b/scripts/dnp3-gen/dnp3-gen.py

index 19076e7799716aa7abc5b74b9f7b6b4e7030539d..701cfd2e688806a20f21419c0c56e9b800dfbd0e 100755 (executable)
--- a/scripts/dnp3-gen/dnp3-gen.py
+++ b/scripts/dnp3-gen/dnp3-gen.py
@@ -524,6 +524,9 @@ static int DNP3DecodeObjectG{{object.group}}V{{object.variation}}(const uint8_t
          }
  {% elif field.type == "chararray" %}
  {% if field.len_from_prefix %}
+        if (prefix - (offset - *len) >= {{field.size}}) {
+            goto error;
+        }
          object->{{field.len_field}} = prefix - (offset - *len);
  {% endif %}
          if (object->{{field.len_field}} > 0) {
author	Philippe Antoine <contact@catenacyber.fr>
	Thu, 8 Jul 2021 13:01:15 +0000 (15:01 +0200)
committer	Jeff Lucovsky <jeff@lucovsky.org>
	Fri, 17 Sep 2021 17:34:32 +0000 (13:34 -0400)