Comments and length checks. (#81)

* Comments and length checks. * Added max_apdu checking.
2020-05-02 03:29:21 +02:00
parent fdd49f1791
commit 05aaee7f6b
4 changed files with 154 additions and 34 deletions
@@ -40,7 +40,16 @@

 /** @file timesync.c  Encode/Decode TimeSync APDUs  */
 #if BACNET_SVC_TS_A
-/* encode service */
+/** Encode the time synchronisation service.
+ *
+ * @param apdu [in] Buffer in which the APDU contents are written
+ * @param service [in] Time service that shall be encoded, like
+ *                     SERVICE_UNCONFIRMED_UTC_TIME_SYNCHRONIZATION.
+ * @param my_date [in] Pointer to the date structure used to encode.
+ * @param my_time [in] Pointer to the time structure used to encode.
+ *
+ * @return Count of encoded bytes.
+ */
 int timesync_encode_apdu_service(uint8_t *apdu,
    BACNET_UNCONFIRMED_SERVICE service,
    BACNET_DATE *my_date,
@@ -62,6 +71,14 @@ int timesync_encode_apdu_service(uint8_t *apdu,
    return apdu_len;
 }

+/** Encode the service 'UTC_TIME_SYNCHRONIZATION'.
+ *
+ * @param apdu [in] Buffer in which the APDU contents are written
+ * @param my_date [in] Pointer to the date structure used to encode.
+ * @param my_time [in] Pointer to the time structure used to encode.
+ *
+ * @return Count of encoded bytes.
+ */
 int timesync_utc_encode_apdu(
    uint8_t *apdu, BACNET_DATE *my_date, BACNET_TIME *my_time)
 {
@@ -69,6 +86,14 @@ int timesync_utc_encode_apdu(
        apdu, SERVICE_UNCONFIRMED_UTC_TIME_SYNCHRONIZATION, my_date, my_time);
 }

+/** Encode the service 'TIME_SYNCHRONIZATION'.
+ *
+ * @param apdu [in] Buffer in which the APDU contents are written
+ * @param my_date [in] Pointer to the date structure used to encode.
+ * @param my_time [in] Pointer to the time structure used to encode.
+ *
+ * @return Count of encoded bytes.
+ */
 int timesync_encode_apdu(
    uint8_t *apdu, BACNET_DATE *my_date, BACNET_TIME *my_time)
 {
@@ -77,7 +102,15 @@ int timesync_encode_apdu(
 }
 #endif

-/* decode the service request only */
+/** Decode the service request only.
+ *
+ * @param apdu [in] Buffer in which the APDU contents are read
+ * @param apdu_len [in] length of the APDU buffer.
+ * @param my_date [in] Pointer to the date structure filled in.
+ * @param my_time [in] Pointer to the time structure filled in.
+ *
+ * @return Count of decoded bytes.
+ */
 int timesync_decode_service_request(uint8_t *apdu,
    unsigned apdu_len,
    BACNET_DATE *my_date,
@@ -91,17 +124,25 @@ int timesync_decode_service_request(uint8_t *apdu,
        /* date */
        len += decode_tag_number_and_value(&apdu[len], &tag_number, &len_value);
        if (tag_number == BACNET_APPLICATION_TAG_DATE) {
-            len += decode_date(&apdu[len], my_date);
+            if ((unsigned)(len + 4) <= apdu_len) {
+                len += decode_date(&apdu[len], my_date);
+            } else {
+                return -1;
+            }
        } else {
            return -1;
        }
        /* time */
        len += decode_tag_number_and_value(&apdu[len], &tag_number, &len_value);
        if (tag_number == BACNET_APPLICATION_TAG_TIME) {
+            if ((unsigned)(len + 4) <= apdu_len) {
            len += decode_bacnet_time(&apdu[len], my_time);
        } else {
            return -1;
        }
+        } else {
+            return -1;
+        }
    }

    return len;
@@ -139,6 +180,10 @@ int timesync_encode_timesync_recipients(
    BACNET_OCTET_STRING octet_string;
    BACNET_RECIPIENT_LIST *pRecipient;

+    if ((!apdu) || (max_apdu < 1) || (!recipient)) {
+        return(0);
+    }
+
    pRecipient = recipient;
    while (pRecipient != NULL) {
        if (pRecipient->tag == 0) {
@@ -231,11 +276,18 @@ int timesync_decode_timesync_recipients(
    BACNET_OCTET_STRING octet_string;
    BACNET_RECIPIENT_LIST *pRecipient;

+    if ((!apdu) || (max_apdu < 1) || (!recipient)) {
+        return BACNET_STATUS_ABORT;
+    }
+
    pRecipient = recipient;
    while (pRecipient != NULL) {
        /* device [0] BACnetObjectIdentifier */
        if (decode_is_context_tag(&apdu[apdu_len], 0)) {
            pRecipient->tag = 0;
+            if ((unsigned)(apdu_len + 4) > max_apdu) {
+                return BACNET_STATUS_ABORT;
+            }
            len = decode_context_object_id(&apdu[apdu_len], 0,
                &pRecipient->type.device.type,
                &pRecipient->type.device.instance);
@@ -250,6 +302,9 @@ int timesync_decode_timesync_recipients(
            tag_len = decode_tag_number_and_value(
                &apdu[apdu_len], &tag_number, &len_value_type);
            apdu_len += tag_len;
+            if ((unsigned)apdu_len > max_apdu) {
+                return BACNET_STATUS_ABORT;
+            }
            if (tag_number != BACNET_APPLICATION_TAG_UNSIGNED_INT) {
                return BACNET_STATUS_ABORT;
            }
@@ -257,6 +312,9 @@ int timesync_decode_timesync_recipients(
                &apdu[apdu_len], len_value_type, &unsigned_value);
            pRecipient->type.address.net = (uint16_t)unsigned_value;
            apdu_len += len;
+            if ((unsigned)apdu_len > max_apdu) {
+                return BACNET_STATUS_ABORT;
+            }
            /* mac-address OCTET STRING */
            tag_len = decode_tag_number_and_value(
                &apdu[apdu_len], &tag_number, &len_value_type);
@@ -265,7 +323,7 @@ int timesync_decode_timesync_recipients(
                return BACNET_STATUS_ABORT;
            }
            len = bacnet_octet_string_decode(&apdu[apdu_len],
-                max_apdu, len_value_type, &octet_string);
+                max_apdu - apdu_len, len_value_type, &octet_string);
            if (len < 0) {
                return BACNET_STATUS_ERROR;
            }