- ACSE: fixed out-of-bounds read in parseAarqPdu function (LIB61850-4…

…41)(#512)
mz-automation · Jun 12, 2024 · 501dffe · 501dffe
1 parent ac17349
commit 501dffe
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/src/mms/iso_acse/acse.c b/src/mms/iso_acse/acse.c
@@ -263,13 +263,17 @@ parseAarqPdu(AcseConnection* self, uint8_t* buffer, int bufPos, int maxBufPos)
     int authMechLen = 0;
     bool userInfoValid = false;
 
-    while (bufPos < maxBufPos) {
+    while (bufPos < maxBufPos)
+    {
         uint8_t tag = buffer[bufPos++];
         int len;
 
         bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, maxBufPos);
 
-        if (bufPos < 0) {
+        if (len == 0)
+            continue;
+
+        if ((bufPos < 0) || (bufPos + len > maxBufPos)) {
             if (DEBUG_ACSE)
                 printf("ACSE: Invalid PDU!\n");
             return ACSE_ASSOCIATE_FAILED;