From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 8 Jul 2021 13:02:50 +0000 (+0200)
Subject: dnp3: regenerate object decoding code
X-Git-Tag: suricata-5.0.8~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbab065063e8c633e14d87155aebdfb68ddae3d3;p=thirdparty%2Fsuricata.git

dnp3: regenerate object decoding code

Ticket: #4558
So as to avoid intra-structure overflow

(cherry picked from commit 44bd3169eb1ab0501d909fe261b3dafde6375400)
---

diff --git a/src/app-layer-dnp3-objects.c b/src/app-layer-dnp3-objects.c
index e71d6dd61e..caa218bf5a 100644
--- a/src/app-layer-dnp3-objects.c
+++ b/src/app-layer-dnp3-objects.c
@@ -7153,6 +7153,9 @@ static int DNP3DecodeObjectG70V4(const uint8_t **buf, uint32_t *len,
         if (!DNP3ReadUint8(buf, len, &object->status_code)) {
             goto error;
         }
+        if (prefix - (offset - *len) >= 255) {
+          goto error;
+        }
         object->optional_text_len = prefix - (offset - *len);
         if (object->optional_text_len > 0) {
             if (*len < object->optional_text_len) {
@@ -7217,6 +7220,9 @@ static int DNP3DecodeObjectG70V5(const uint8_t **buf, uint32_t *len,
         if (!DNP3ReadUint32(buf, len, &object->block_number)) {
             goto error;
         }
+        if (prefix - (offset - *len) >= 255) {
+          goto error;
+        }
         object->file_data_len = prefix - (offset - *len);
         if (object->file_data_len > 0) {
             if (*len < object->file_data_len) {
@@ -7284,6 +7290,9 @@ static int DNP3DecodeObjectG70V6(const uint8_t **buf, uint32_t *len,
         if (!DNP3ReadUint8(buf, len, &object->status_code)) {
             goto error;
         }
+        if (prefix - (offset - *len) >= 255) {
+          goto error;
+        }
         object->optional_text_len = prefix - (offset - *len);
         if (object->optional_text_len > 0) {
             if (*len < object->optional_text_len) {
@@ -7413,6 +7422,9 @@ static int DNP3DecodeObjectG70V8(const uint8_t **buf, uint32_t *len,
 
         offset = *len;
 
+        if (prefix - (offset - *len) >= 65535) {
+          goto error;
+        }
         object->file_specification_len = prefix - (offset - *len);
         if (object->file_specification_len > 0) {
             if (*len < object->file_specification_len) {
@@ -8158,6 +8170,9 @@ static int DNP3DecodeObjectG120V7(const uint8_t **buf, uint32_t *len,
         if (!DNP3ReadUint48(buf, len, &object->time_of_error)) {
             goto error;
         }
+        if (prefix - (offset - *len) >= 65535) {
+          goto error;
+        }
         object->error_text_len = prefix - (offset - *len);
         if (object->error_text_len > 0) {
             if (*len < object->error_text_len) {