| From 033ab5b6488250c8c3b838f25a7cbc3e099230bb Mon Sep 17 00:00:00 2001 |
| From: Michael Zillgith <michael.zillgith@mz-automation.de> |
| Date: Wed, 12 Aug 2020 07:25:37 +0200 |
| Subject: [PATCH] - COTP: fixed possible heap buffer overflow when handling |
| message with invalid (zero) value in length field (#250) |
| |
| [Retrieved from: |
| https://github.com/mz-automation/libiec61850/commit/033ab5b6488250c8c3b838f25a7cbc3e099230bb] |
| Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> |
| --- |
| src/mms/iso_cotp/cotp.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/src/mms/iso_cotp/cotp.c b/src/mms/iso_cotp/cotp.c |
| index cbb34b36..8c37d262 100644 |
| --- a/src/mms/iso_cotp/cotp.c |
| +++ b/src/mms/iso_cotp/cotp.c |
| @@ -720,6 +720,9 @@ CotpConnection_readToTpktBuffer(CotpConnection* self) |
| goto exit_waiting; |
| } |
| |
| + if (self->packetSize <= bufPos) |
| + goto exit_error; |
| + |
| readBytes = readFromSocket(self, buffer + bufPos, self->packetSize - bufPos); |
| |
| if (readBytes < 0) |
