dnp3: avoids DOS by too long loop over null-sized objects

author Philippe Antoine <contact@catenacyber.fr>

Thu, 19 Nov 2020 13:30:27 +0000 (14:30 +0100)

committer Victor Julien <victor@inliniac.net>

Thu, 3 Dec 2020 16:06:49 +0000 (17:06 +0100)
author Philippe Antoine <contact@catenacyber.fr>
Thu, 19 Nov 2020 13:30:27 +0000 (14:30 +0100)
committer Victor Julien <victor@inliniac.net>
Thu, 3 Dec 2020 16:06:49 +0000 (17:06 +0100)
diff --git a/scripts/dnp3-gen/dnp3-gen.py b/scripts/dnp3-gen/dnp3-gen.py

index b2226c3217b89c0001a8e48353051f62ce74af28..447d38638714c5b4ff07359e2f035fe4fee26421 100755 (executable)
--- a/scripts/dnp3-gen/dnp3-gen.py
+++ b/scripts/dnp3-gen/dnp3-gen.py
@@ -432,6 +432,9 @@ static int DNP3DecodeObjectG{{object.group}}V{{object.variation}}(const uint8_t
  {% endfor %}
  {% endif %}
  
+    if (*len < count/8) {
+        goto error;
+    }
      while (count--) {
  
          object = SCCalloc(1, sizeof(*object));
author	Philippe Antoine <contact@catenacyber.fr>
	Thu, 19 Nov 2020 13:30:27 +0000 (14:30 +0100)
committer	Victor Julien <victor@inliniac.net>
	Thu, 3 Dec 2020 16:06:49 +0000 (17:06 +0100)