dali/bacnet_stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WriteProperty decoding length underflow (#1231)

Browse Source 
When decoding the optional priority context tag in wp_decode_service_request(), the code passes apdu_len - apdu_size to bacnet_unsigned_context_decode instead of apdu_size - apdu_len. Similar typo in bacnet_action_command_decode().
This commit is contained in:
Steve Karg
2026-02-13 08:44:39 -06:00
committed by GitHub
parent 05027855ef
commit 4cc8067c86
3 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+3 -1
View File
@@ -12,10 +12,12 @@ The git repositories are hosted at the following sites:
* https://bacnet.sourceforge.net/
* https://github.com/bacnet-stack/bacnet-stack/
## [Unreleased] - 2026-02-09
## [Unreleased] - 2026-02-13
### Security
* Secured decoding length underflow in wp_decode_service_request() and
bacnet_action_command_decode() which had similar issue. (#1231)
* Secured Schedule_Weekly_Schedule_Set() the example schedule object
by fixing stack buffer overflow. The memcpy was using
sizeof(BACNET_WEEKLY_SCHEDULE) instead of sizeof(BACNET_DAILY_SCHEDULE),
src/bacnet/bacaction.c
+4 -4
View File
@@ -464,7 +464,7 @@ int bacnet_action_command_decode(
apdu_len += len;
/* priority [5] Unsigned (1..16) OPTIONAL */
len = bacnet_unsigned_context_decode(
&apdu[apdu_len], apdu_len - apdu_size, 5, &unsigned_value);
&apdu[apdu_len], apdu_size - apdu_len, 5, &unsigned_value);
if (len > 0) {
apdu_len += len;
if ((unsigned_value >= BACNET_MIN_PRIORITY) &&
@@ -483,7 +483,7 @@ int bacnet_action_command_decode(
}
/* postDelay [6] Unsigned OPTIONAL */
len = bacnet_unsigned_context_decode(
&apdu[apdu_len], apdu_len - apdu_size, 6, &unsigned_value);
&apdu[apdu_len], apdu_size - apdu_len, 6, &unsigned_value);
if (len > 0) {
apdu_len += len;
if (entry) {
@@ -497,7 +497,7 @@ int bacnet_action_command_decode(
}
/* quitOnFailure [7] BOOLEAN */
len = bacnet_boolean_context_decode(
&apdu[apdu_len], apdu_len - apdu_size, 7, &boolean_value);
&apdu[apdu_len], apdu_size - apdu_len, 7, &boolean_value);
if (len > 0) {
apdu_len += len;
if (entry) {
@@ -508,7 +508,7 @@ int bacnet_action_command_decode(
}
/* writeSuccessful [8] BOOLEAN */
len = bacnet_boolean_context_decode(
&apdu[apdu_len], apdu_len - apdu_size, 8, &boolean_value);
&apdu[apdu_len], apdu_size - apdu_len, 8, &boolean_value);
if (len > 0) {
apdu_len += len;
if (entry) {
src/bacnet/wp.c
+1 -1
View File
@@ -277,7 +277,7 @@ int wp_decode_service_request(
}
if ((unsigned)apdu_len < apdu_size) {
len = bacnet_unsigned_context_decode(
&apdu[apdu_len], apdu_len - apdu_size, 4, &unsigned_value);
&apdu[apdu_len], apdu_size - apdu_len, 4, &unsigned_value);
if (len > 0) {
apdu_len += len;
if ((unsigned_value >= BACNET_MIN_PRIORITY) &&