From 44bd3169eb1ab0501d909fe261b3dafde6375400 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 8 Jul 2021 15:02:50 +0200
Subject: [PATCH] dnp3: regenerate object decoding code

Ticket: #4558
So as to avoid intra-structure overflow
---
 src/app-layer-dnp3-objects.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/app-layer-dnp3-objects.c b/src/app-layer-dnp3-objects.c
index e71d6dd61eab..a0159ac1d4d9 100644
--- a/src/app-layer-dnp3-objects.c
+++ b/src/app-layer-dnp3-objects.c
@@ -7153,6 +7153,9 @@ static int DNP3DecodeObjectG70V4(const uint8_t **buf, uint32_t *len,
         if (!DNP3ReadUint8(buf, len, &object->status_code)) {
             goto error;
         }
+        if (prefix - (offset - *len) >= 255) {
+            goto error;
+        }
         object->optional_text_len = prefix - (offset - *len);
         if (object->optional_text_len > 0) {
             if (*len < object->optional_text_len) {
@@ -7217,6 +7220,9 @@ static int DNP3DecodeObjectG70V5(const uint8_t **buf, uint32_t *len,
         if (!DNP3ReadUint32(buf, len, &object->block_number)) {
             goto error;
         }
+        if (prefix - (offset - *len) >= 255) {
+            goto error;
+        }
         object->file_data_len = prefix - (offset - *len);
         if (object->file_data_len > 0) {
             if (*len < object->file_data_len) {
@@ -7284,6 +7290,9 @@ static int DNP3DecodeObjectG70V6(const uint8_t **buf, uint32_t *len,
         if (!DNP3ReadUint8(buf, len, &object->status_code)) {
             goto error;
         }
+        if (prefix - (offset - *len) >= 255) {
+            goto error;
+        }
         object->optional_text_len = prefix - (offset - *len);
         if (object->optional_text_len > 0) {
             if (*len < object->optional_text_len) {
@@ -7413,6 +7422,9 @@ static int DNP3DecodeObjectG70V8(const uint8_t **buf, uint32_t *len,
 
         offset = *len;
 
+        if (prefix - (offset - *len) >= 65535) {
+            goto error;
+        }
         object->file_specification_len = prefix - (offset - *len);
         if (object->file_specification_len > 0) {
             if (*len < object->file_specification_len) {
@@ -8158,6 +8170,9 @@ static int DNP3DecodeObjectG120V7(const uint8_t **buf, uint32_t *len,
         if (!DNP3ReadUint48(buf, len, &object->time_of_error)) {
             goto error;
         }
+        if (prefix - (offset - *len) >= 65535) {
+            goto error;
+        }
         object->error_text_len = prefix - (offset - *len);
         if (object->error_text_len > 0) {
             if (*len < object->error_text_len) {