From 6a6aa04f55bbe4eeb5e53d1ec0ae57db81a259ec Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 26 Jan 2018 16:09:18 -0600 Subject: [PATCH] dnp3-gen: fix heap buffer overflow in generated code Due to missing check before memcpy. --- scripts/dnp3-gen/dnp3-gen.py | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/scripts/dnp3-gen/dnp3-gen.py b/scripts/dnp3-gen/dnp3-gen.py index cc2aa8fc43..a1c23f152c 100755 --- a/scripts/dnp3-gen/dnp3-gen.py +++ b/scripts/dnp3-gen/dnp3-gen.py @@ -527,6 +527,10 @@ static int DNP3DecodeObjectG{{object.group}}V{{object.variation}}(const uint8_t object->{{field.len_field}} = prefix - (offset - *len); {% endif %} if (object->{{field.len_field}} > 0) { + if (*len < object->{{field.len_field}}) { + /* Not enough data. */ + goto error; + } memcpy(object->{{field.name}}, *buf, object->{{field.len_field}}); *buf += object->{{field.len_field}}; *len -= object->{{field.len_field}}; @@ -538,20 +542,20 @@ static int DNP3DecodeObjectG{{object.group}}V{{object.variation}}(const uint8_t if (!DNP3ReadUint8(buf, len, &octet)) { goto error; } -{% set shift = 0 %} +{% set ns = namespace(shift=0) %} {% for field in field.fields %} {% if field.width == 1 %} - object->{{field.name}} = (octet >> {{shift}}) & 0x1; + object->{{field.name}} = (octet >> {{ns.shift}}) & 0x1; {% elif field.width == 2 %} - object->{{field.name}} = (octet >> {{shift}}) & 0x3; + object->{{field.name}} = (octet >> {{ns.shift}}) & 0x3; {% elif field.width == 4 %} - object->{{field.name}} = (octet >> {{shift}}) & 0xf; + object->{{field.name}} = (octet >> {{ns.shift}}) & 0xf; {% elif field.width == 7 %} - object->{{field.name}} = (octet >> {{shift}}) & 0x7f; + object->{{field.name}} = (octet >> {{ns.shift}}) & 0x7f; {% else %} {{ raise("Unhandled width of %d." % (field.width)) }} {% endif %} -{% set shift = shift + field.width %} +{% set ns.shift = ns.shift + field.width %} {% endfor %} } {% else %}