From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 8 Jul 2021 13:01:15 +0000 (+0200)
Subject: dnp3: adds bounds check for prefix chararray
X-Git-Tag: suricata-6.0.4~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=550e8708b01e6810d9b6a10ec82e93bd562185e2;p=thirdparty%2Fsuricata.git

dnp3: adds bounds check for prefix chararray

Ticket: #4558
Avoids intra structure overflow

(cherry picked from commit 126a7dcb4f1818a806c882c54da864992bb304d5)
---

diff --git a/scripts/dnp3-gen/dnp3-gen.py b/scripts/dnp3-gen/dnp3-gen.py
index 75a127623c..4a308de6f9 100755
--- a/scripts/dnp3-gen/dnp3-gen.py
+++ b/scripts/dnp3-gen/dnp3-gen.py
@@ -518,6 +518,9 @@ static int DNP3DecodeObjectG{{object.group}}V{{object.variation}}(const uint8_t
         }
 {% elif field.type == "chararray" %}
 {% if field.len_from_prefix %}
+        if (prefix - (offset - *len) >= {{field.size}}) {
+            goto error;
+        }
         object->{{field.len_field}} = prefix - (offset - *len);
 {% endif %}
         if (object->{{field.len_field}} > 0) {