f358f322da
* Rebase patches to Buildroot 2021.02-rc3 * Update Buildroot to 2021.02-rc3 * Declare Kernel headers to be Linux version 5.10 (since they are, and new Buildroot knows about 5.10)
28 lines
989 B
Diff
28 lines
989 B
Diff
From 033ab5b6488250c8c3b838f25a7cbc3e099230bb Mon Sep 17 00:00:00 2001
|
|
From: Michael Zillgith <michael.zillgith@mz-automation.de>
|
|
Date: Wed, 12 Aug 2020 07:25:37 +0200
|
|
Subject: [PATCH] - COTP: fixed possible heap buffer overflow when handling
|
|
message with invalid (zero) value in length field (#250)
|
|
|
|
[Retrieved from:
|
|
https://github.com/mz-automation/libiec61850/commit/033ab5b6488250c8c3b838f25a7cbc3e099230bb]
|
|
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
---
|
|
src/mms/iso_cotp/cotp.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/src/mms/iso_cotp/cotp.c b/src/mms/iso_cotp/cotp.c
|
|
index cbb34b36..8c37d262 100644
|
|
--- a/src/mms/iso_cotp/cotp.c
|
|
+++ b/src/mms/iso_cotp/cotp.c
|
|
@@ -720,6 +720,9 @@ CotpConnection_readToTpktBuffer(CotpConnection* self)
|
|
goto exit_waiting;
|
|
}
|
|
|
|
+ if (self->packetSize <= bufPos)
|
|
+ goto exit_error;
|
|
+
|
|
readBytes = readFromSocket(self, buffer + bufPos, self->packetSize - bufPos);
|
|
|
|
if (readBytes < 0)
|