From 7d4614ad54ea2b84988fb17d381ff4d7108230ef Mon Sep 17 00:00:00 2001
From: Michael Zillgith <michael.zillgith@mz-automation.de>
Date: Mon, 12 Aug 2024 10:57:05 +0100
Subject: [PATCH] - ACSE: fixed out-of-bound read in parseAarqPdu/parseAarePdu
 functions (#512)(#513)(LIB61850-441)(LIB61850-442)

---
 src/mms/iso_acse/acse.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/mms/iso_acse/acse.c b/src/mms/iso_acse/acse.c
index 3b5e48a5..3f34e173 100644
--- a/src/mms/iso_acse/acse.c
+++ b/src/mms/iso_acse/acse.c
@@ -190,10 +190,18 @@ parseAarePdu(AcseConnection* self, uint8_t* buffer, int bufPos, int maxBufPos)
 
         bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, maxBufPos);
 
+        if (bufPos < 0)
+        {
+            if (DEBUG_ACSE)
+                printf("ACSE: Invalid PDU!\n");
+            return ACSE_ERROR;
+        }
+
         if (len == 0)
             continue;
 
-        if ((bufPos < 0) || (bufPos + len > maxBufPos)) {
+        if (bufPos + len > maxBufPos)
+        {
             if (DEBUG_ACSE)
                 printf("ACSE: Invalid PDU!\n");
             return ACSE_ERROR;
@@ -279,7 +287,18 @@ parseAarqPdu(AcseConnection* self, uint8_t* buffer, int bufPos, int maxBufPos)
 
         bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, maxBufPos);
 
-        if (bufPos < 0) {
+        if (bufPos < 0)
+        {
+            if (DEBUG_ACSE)
+                printf("ACSE: Invalid PDU!\n");
+            return ACSE_ASSOCIATE_FAILED;
+        }
+
+        if (len == 0)
+            continue;
+
+        if (bufPos + len > maxBufPos)
+        {
             if (DEBUG_ACSE)
                 printf("ACSE: Invalid PDU!\n");
             return ACSE_ASSOCIATE_FAILED;