dnp3: fix buffer over read in responses parsing

5 years ago · d465bb8686
parent 629a16e373
commit d465bb8686
1 changed files with 5 additions and 4 deletions
--- a/src/app-layer-dnp3.c
+++ b/src/app-layer-dnp3.c
@ -559,9 +559,9 @@ static int DNP3IsUserData(const DNP3LinkHeader *header)
 *
 * \retval 1 if user data exists, otherwise 0.
 */
-static int DNP3HasUserData(const DNP3LinkHeader *header)
+static int DNP3HasUserData(const DNP3LinkHeader *header, uint8_t direction)
 {
-    if (DNP3_LINK_DIR(header->control)) {
+    if (direction == STREAM_TOSERVER) {
        return header->len >= DNP3_LINK_HDR_LEN + sizeof(DNP3TransportHeader) +
            sizeof(DNP3ApplicationHeader);
    }
@ -1084,7 +1084,7 @@ static int DNP3HandleRequestLinkLayer(DNP3State *dnp3, const uint8_t *input,
        /* Make sure the header length is large enough for transport and
         * application headers. */
-        if (!DNP3HasUserData(header)) {
+        if (!DNP3HasUserData(header, STREAM_TOSERVER)) {
            DNP3SetEvent(dnp3, DNP3_DECODER_EVENT_LEN_TOO_SMALL);
            goto next;
        }
@ -1223,7 +1223,7 @@ static int DNP3HandleResponseLinkLayer(DNP3State *dnp3, const uint8_t *input,
        /* Make sure the header length is large enough for transport and
         * application headers. */
-        if (!DNP3HasUserData(header)) {
+        if (!DNP3HasUserData(header, STREAM_TOCLIENT)) {
            DNP3SetEvent(dnp3, DNP3_DECODER_EVENT_LEN_TOO_SMALL);
            goto error;
        }
@ -1264,6 +1264,7 @@ static AppLayerResult DNP3ParseResponse(Flow *f, void *state, AppLayerParserStat
    const uint8_t flags)
 {
    SCEnter();
    DNP3State *dnp3 = (DNP3State *)state;
    DNP3Buffer *buffer = &dnp3->response_buffer;
    int processed;