dnp3: avoids DOS by too long loop over null-sized objects

author Philippe Antoine <contact@catenacyber.fr>

Thu, 19 Nov 2020 13:30:27 +0000 (14:30 +0100)

committer Shivani Bhardwaj <shivanib134@gmail.com>

Thu, 3 Dec 2020 22:39:55 +0000 (04:09 +0530)
author Philippe Antoine <contact@catenacyber.fr>
Thu, 19 Nov 2020 13:30:27 +0000 (14:30 +0100)
committer Shivani Bhardwaj <shivanib134@gmail.com>
Thu, 3 Dec 2020 22:39:55 +0000 (04:09 +0530)
diff --git a/scripts/dnp3-gen/dnp3-gen.py b/scripts/dnp3-gen/dnp3-gen.py

index ae2fef7baa898d8a7fedd21ed4a3daf888f34c69..0396b6d5c654635fe0ba04ab3d651a04ecd9af16 100755 (executable)
--- a/scripts/dnp3-gen/dnp3-gen.py
+++ b/scripts/dnp3-gen/dnp3-gen.py
@@ -437,6 +437,9 @@ static int DNP3DecodeObjectG{{object.group}}V{{object.variation}}(const uint8_t
  {% endfor %}
  {% endif %}
  
+    if (*len < count/8) {
+        goto error;
+    }
      while (count--) {
  
          object = SCCalloc(1, sizeof(*object));
author	Philippe Antoine <contact@catenacyber.fr>
	Thu, 19 Nov 2020 13:30:27 +0000 (14:30 +0100)
committer	Shivani Bhardwaj <shivanib134@gmail.com>
	Thu, 3 Dec 2020 22:39:55 +0000 (04:09 +0530)