From: Philippe Antoine Date: Sun, 21 Jun 2020 20:22:47 +0000 (+0200) Subject: dnp3: fix buffer over read in responses parsing X-Git-Tag: suricata-6.0.0-beta1~265 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d465bb86863acd4c0cd534f0748c5a2ef1283241;p=thirdparty%2Fsuricata.git dnp3: fix buffer over read in responses parsing --- diff --git a/src/app-layer-dnp3.c b/src/app-layer-dnp3.c index c1ce7898f0..7c8653ea89 100644 --- a/src/app-layer-dnp3.c +++ b/src/app-layer-dnp3.c @@ -559,9 +559,9 @@ static int DNP3IsUserData(const DNP3LinkHeader *header) * * \retval 1 if user data exists, otherwise 0. */ -static int DNP3HasUserData(const DNP3LinkHeader *header) +static int DNP3HasUserData(const DNP3LinkHeader *header, uint8_t direction) { - if (DNP3_LINK_DIR(header->control)) { + if (direction == STREAM_TOSERVER) { return header->len >= DNP3_LINK_HDR_LEN + sizeof(DNP3TransportHeader) + sizeof(DNP3ApplicationHeader); } @@ -1084,7 +1084,7 @@ static int DNP3HandleRequestLinkLayer(DNP3State *dnp3, const uint8_t *input, /* Make sure the header length is large enough for transport and * application headers. */ - if (!DNP3HasUserData(header)) { + if (!DNP3HasUserData(header, STREAM_TOSERVER)) { DNP3SetEvent(dnp3, DNP3_DECODER_EVENT_LEN_TOO_SMALL); goto next; } @@ -1223,7 +1223,7 @@ static int DNP3HandleResponseLinkLayer(DNP3State *dnp3, const uint8_t *input, /* Make sure the header length is large enough for transport and * application headers. */ - if (!DNP3HasUserData(header)) { + if (!DNP3HasUserData(header, STREAM_TOCLIENT)) { DNP3SetEvent(dnp3, DNP3_DECODER_EVENT_LEN_TOO_SMALL); goto error; } @@ -1264,6 +1264,7 @@ static AppLayerResult DNP3ParseResponse(Flow *f, void *state, AppLayerParserStat const uint8_t flags) { SCEnter(); + DNP3State *dnp3 = (DNP3State *)state; DNP3Buffer *buffer = &dnp3->response_buffer; int processed;