dnp3: regenerate object decoding code

Ticket: OISF#4558 So as to avoid intra-structure overflow
vincentmli · Aug 23, 2021 · 44bd316 · 44bd316
1 parent 126a7dc
commit 44bd316
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/src/app-layer-dnp3-objects.c b/src/app-layer-dnp3-objects.c
@@ -7153,6 +7153,9 @@ static int DNP3DecodeObjectG70V4(const uint8_t **buf, uint32_t *len,
         if (!DNP3ReadUint8(buf, len, &object->status_code)) {
             goto error;
         }
+        if (prefix - (offset - *len) >= 255) {
+            goto error;
+        }
         object->optional_text_len = prefix - (offset - *len);
         if (object->optional_text_len > 0) {
             if (*len < object->optional_text_len) {
@@ -7217,6 +7220,9 @@ static int DNP3DecodeObjectG70V5(const uint8_t **buf, uint32_t *len,
         if (!DNP3ReadUint32(buf, len, &object->block_number)) {
             goto error;
         }
+        if (prefix - (offset - *len) >= 255) {
+            goto error;
+        }
         object->file_data_len = prefix - (offset - *len);
         if (object->file_data_len > 0) {
             if (*len < object->file_data_len) {
@@ -7284,6 +7290,9 @@ static int DNP3DecodeObjectG70V6(const uint8_t **buf, uint32_t *len,
         if (!DNP3ReadUint8(buf, len, &object->status_code)) {
             goto error;
         }
+        if (prefix - (offset - *len) >= 255) {
+            goto error;
+        }
         object->optional_text_len = prefix - (offset - *len);
         if (object->optional_text_len > 0) {
             if (*len < object->optional_text_len) {
@@ -7413,6 +7422,9 @@ static int DNP3DecodeObjectG70V8(const uint8_t **buf, uint32_t *len,
 
         offset = *len;
 
+        if (prefix - (offset - *len) >= 65535) {
+            goto error;
+        }
         object->file_specification_len = prefix - (offset - *len);
         if (object->file_specification_len > 0) {
             if (*len < object->file_specification_len) {
@@ -8158,6 +8170,9 @@ static int DNP3DecodeObjectG120V7(const uint8_t **buf, uint32_t *len,
         if (!DNP3ReadUint48(buf, len, &object->time_of_error)) {
             goto error;
         }
+        if (prefix - (offset - *len) >= 65535) {
+            goto error;
+        }
         object->error_text_len = prefix - (offset - *len);
         if (object->error_text_len > 0) {
             if (*len < object->error_text_len) {