From: Philippe Antoine Date: Sun, 21 Jun 2020 20:22:47 +0000 (+0200) Subject: dnp3: fix buffer over read in responses parsing X-Git-Tag: suricata-5.0.4~47 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd1ed2f32de52f044d9d6b7fccdc326c881f3f6b;p=thirdparty%2Fsuricata.git dnp3: fix buffer over read in responses parsing (cherry picked from commit d465bb86863acd4c0cd534f0748c5a2ef1283241) --- diff --git a/src/app-layer-dnp3.c b/src/app-layer-dnp3.c index 2e764cc46c..d2faa6aa12 100644 --- a/src/app-layer-dnp3.c +++ b/src/app-layer-dnp3.c @@ -556,9 +556,9 @@ static int DNP3IsUserData(const DNP3LinkHeader *header) * * \retval 1 if user data exists, otherwise 0. */ -static int DNP3HasUserData(const DNP3LinkHeader *header) +static int DNP3HasUserData(const DNP3LinkHeader *header, uint8_t direction) { - if (DNP3_LINK_DIR(header->control)) { + if (direction == STREAM_TOSERVER) { return header->len >= DNP3_LINK_HDR_LEN + sizeof(DNP3TransportHeader) + sizeof(DNP3ApplicationHeader); } @@ -1081,7 +1081,7 @@ static int DNP3HandleRequestLinkLayer(DNP3State *dnp3, const uint8_t *input, /* Make sure the header length is large enough for transport and * application headers. */ - if (!DNP3HasUserData(header)) { + if (!DNP3HasUserData(header, STREAM_TOSERVER)) { DNP3SetEvent(dnp3, DNP3_DECODER_EVENT_LEN_TOO_SMALL); goto next; } @@ -1220,7 +1220,7 @@ static int DNP3HandleResponseLinkLayer(DNP3State *dnp3, const uint8_t *input, /* Make sure the header length is large enough for transport and * application headers. */ - if (!DNP3HasUserData(header)) { + if (!DNP3HasUserData(header, STREAM_TOCLIENT)) { DNP3SetEvent(dnp3, DNP3_DECODER_EVENT_LEN_TOO_SMALL); goto error; } @@ -1261,6 +1261,7 @@ static int DNP3ParseResponse(Flow *f, void *state, AppLayerParserState *pstate, const uint8_t flags) { SCEnter(); + DNP3State *dnp3 = (DNP3State *)state; DNP3Buffer *buffer = &dnp3->response_buffer; int processed;