From 13c85db4cbb7939c309cdc3df7afa143e38a94c1 Mon Sep 17 00:00:00 2001
From: Steve Karg <steve@kargs.net>
Date: Mon, 10 Jul 2023 15:15:55 -0500
Subject: [PATCH] Fix [bug#79] Out of bounds jump in h_apdu.c:apdu_handler
 (#446)

* Fix [bug#79] Out of bounds jump in h_apdu.c:apdu_handler
---------
Co-authored-by: Steve Karg <skarg@users.sourceforge.net>
---
 CHANGELOG.md                      |  6 ++++++
 src/bacnet/basic/service/h_apdu.c | 24 +++++++++++++++++++-----
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f44864b..16aa26c5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,12 @@ The git repositories are hosted at the following sites:
 
 ## [Unreleased]
 
+### Security
+
+- Fix [bug#79] out of bounds jump in h_apdu.c:apdu_handler (#446)
+
+### Fixed
+
 - Fix segfault on mstp cleanup on linux port (#445)
 - Fix minimal config by adding bitstring (#443)
 - Fix WhoIs app APDU timeout (#444)
diff --git a/src/bacnet/basic/service/h_apdu.c b/src/bacnet/basic/service/h_apdu.c
index a2eb62c7..0bcd5879 100644
--- a/src/bacnet/basic/service/h_apdu.c
+++ b/src/bacnet/basic/service/h_apdu.c
@@ -293,6 +293,11 @@ bool apdu_confirmed_simple_ack_service(
     return status;
 }
 
+/** 
+ * @brief Set the the BACnet Simple Ack Service handler
+ * @param service_choice [in] BACnet confirmed service choice
+ * @param pFunction [in] handler for the service
+ */
 void apdu_set_confirmed_simple_ack_handler(
     BACNET_CONFIRMED_SERVICE service_choice,
     confirmed_simple_ack_function pFunction)
@@ -302,11 +307,18 @@ void apdu_set_confirmed_simple_ack_handler(
     }
 }
 
+/** 
+ * @brief Set the the BACnet Confirmed Ack Service handler
+ * @param service_choice [in] BACnet confirmed service choice
+ * @param pFunction [in] handler for the service
+ */
 void apdu_set_confirmed_ack_handler(
     BACNET_CONFIRMED_SERVICE service_choice, confirmed_ack_function pFunction)
 {
     if (!apdu_confirmed_simple_ack_service(service_choice)) {
-        Confirmed_ACK_Function[service_choice].complex = pFunction;
+        if (service_choice < MAX_BACNET_CONFIRMED_SERVICE) {
+            Confirmed_ACK_Function[service_choice].complex = pFunction;
+        }
     }
 }
 
@@ -640,11 +652,13 @@ void apdu_handler(BACNET_ADDRESS *src,
                 service_request = &apdu[len];
                 service_request_len = apdu_len - (uint16_t)len;
                 if (!apdu_confirmed_simple_ack_service(service_choice)) {
-                    if (Confirmed_ACK_Function[service_choice]
+                    if (service_choice < MAX_BACNET_CONFIRMED_SERVICE) {
+                        if (Confirmed_ACK_Function[service_choice]
                             .complex != NULL) {
-                        Confirmed_ACK_Function[service_choice].complex(
-                            service_request, service_request_len, src,
-                            &service_ack_data);
+                            Confirmed_ACK_Function[service_choice].complex(
+                                service_request, service_request_len, src,
+                                &service_ack_data);
+                        }
                     }
                     tsm_free_invoke_id(invoke_id);
                 }