Fix out-of-bounds read by clearing attribute descriptor#16
Open
xcengel wants to merge 1 commit intoGurux:masterfrom
Open
Fix out-of-bounds read by clearing attribute descriptor#16xcengel wants to merge 1 commit intoGurux:masterfrom
xcengel wants to merge 1 commit intoGurux:masterfrom
Conversation
Clear attribute descriptor after first data block to prevent out-of-bounds read.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Bug: An out-of-bounds read occurs in
dlms_getLnMessages()when sending a SET request that spans multiple data blocks.Root cause: The attribute descriptor is correctly included only in the first data block (SET-Request-First-DataBlock). However,
p->attributeDescriptorwas not cleared afterwards. When subsequent blocks (SET-Request-With-DataBlock) were being built, the code attempted to re-add the attribute descriptor, butbb_set2had already advanced the buffer position past its end, causing an out-of-bounds read.Fix: Added an
elsebranch after the first-block case indevelopment/src/dlms.cthat setsp->attributeDescriptor = NULL. This ensures subsequent blocks no longer attempt to include the descriptor, preventing the out-of-bounds access.Affected file
development/src/dlms.c— functiondlms_getLnMessages()How to reproduce
Send a SET request with a value large enough to require more than one data block (SET-Request-With-DataBlock). The out-of-bounds read occurs when building the second and subsequent blocks.
Testing
Verified that multi-block SET requests complete successfully after the fix, and single-block SET requests are unaffected.