dnp3: adds bounds check for prefix chararray

author Philippe Antoine <contact@catenacyber.fr>

Thu, 8 Jul 2021 13:01:15 +0000 (15:01 +0200)

committer Victor Julien <victor@inliniac.net>

Mon, 23 Aug 2021 15:10:04 +0000 (17:10 +0200)
author Philippe Antoine <contact@catenacyber.fr>
Thu, 8 Jul 2021 13:01:15 +0000 (15:01 +0200)
committer Victor Julien <victor@inliniac.net>
Mon, 23 Aug 2021 15:10:04 +0000 (17:10 +0200)
diff --git a/scripts/dnp3-gen/dnp3-gen.py b/scripts/dnp3-gen/dnp3-gen.py

index 75a127623cb68aa0aa6905473279c04bf1561d65..4a308de6f9f75438ea4d6157ce64a9cc8cbd4fb2 100755 (executable)
--- a/scripts/dnp3-gen/dnp3-gen.py
+++ b/scripts/dnp3-gen/dnp3-gen.py
@@ -518,6 +518,9 @@ static int DNP3DecodeObjectG{{object.group}}V{{object.variation}}(const uint8_t
          }
  {% elif field.type == "chararray" %}
  {% if field.len_from_prefix %}
+        if (prefix - (offset - *len) >= {{field.size}}) {
+            goto error;
+        }
          object->{{field.len_field}} = prefix - (offset - *len);
  {% endif %}
          if (object->{{field.len_field}} > 0) {
author	Philippe Antoine <contact@catenacyber.fr>
	Thu, 8 Jul 2021 13:01:15 +0000 (15:01 +0200)
committer	Victor Julien <victor@inliniac.net>
	Mon, 23 Aug 2021 15:10:04 +0000 (17:10 +0200)