Added apdu length checking in who-is decode. Now returning standard error define.

2013-10-31 15:50:35 +00:00
parent 1b9d85e7e7
commit 55599cafaa
2 changed files with 88 additions and 39 deletions
@@ -81,22 +81,46 @@ int whois_decode_service_request(
    if (apdu_len) {
        len +=
            decode_tag_number_and_value(&apdu[len], &tag_number, &len_value);
-        if (tag_number != 0)
-            return -1;
-        len += decode_unsigned(&apdu[len], len_value, &decoded_value);
-        if (decoded_value <= BACNET_MAX_INSTANCE) {
-            if (pLow_limit)
-                *pLow_limit = decoded_value;
+        if (tag_number != 0) {
+            return BACNET_STATUS_ERROR;
        }
-        len +=
-            decode_tag_number_and_value(&apdu[len], &tag_number, &len_value);
-        if (tag_number != 1)
-            return -1;
-        len += decode_unsigned(&apdu[len], len_value, &decoded_value);
-        if (decoded_value <= BACNET_MAX_INSTANCE) {
-            if (pHigh_limit)
-                *pHigh_limit = decoded_value;
+        if (apdu_len > len) {
+            len += decode_unsigned(&apdu[len], len_value, &decoded_value);
+            if (decoded_value <= BACNET_MAX_INSTANCE) {
+                if (pLow_limit) {
+                    *pLow_limit = decoded_value;
+                }
+            }
+            if (apdu_len > len) {
+                len +=
+                    decode_tag_number_and_value(&apdu[len], &tag_number, &len_value);
+                if (tag_number != 1) {
+                    return BACNET_STATUS_ERROR;
+                }
+                if (apdu_len > len) {
+                    len += decode_unsigned(&apdu[len], len_value, &decoded_value);
+                    if (decoded_value <= BACNET_MAX_INSTANCE) {
+                        if (pHigh_limit) {
+                            *pHigh_limit = decoded_value;
+                        }
+                    }
+                } else {
+                    return BACNET_STATUS_ERROR;
+                }
+            } else {
+                return BACNET_STATUS_ERROR;
+            }
+        } else {
+            return BACNET_STATUS_ERROR;
        }
+    } else {
+        if (pLow_limit) {
+            *pLow_limit = -1;
+        }
+        if (pHigh_limit) {
+            *pHigh_limit = -1;
+        }
+        len = 0;
    }

    return len;
@@ -115,15 +139,18 @@ int whois_decode_apdu(
 {
    int len = 0;

-    if (!apdu)
-        return -1;
-    /* optional checking - most likely was already done prior to this call */
-    if (apdu[0] != PDU_TYPE_UNCONFIRMED_SERVICE_REQUEST)
-        return -1;
-    if (apdu[1] != SERVICE_UNCONFIRMED_WHO_IS)
-        return -1;
+    if (!apdu) {
+        return BACNET_STATUS_ERROR;
+    }
    /* optional limits - must be used as a pair */
-    if (apdu_len > 2) {
+    if (apdu_len >= 2) {
+        /* optional checking - most likely was already done prior to this call */
+        if (apdu[0] != PDU_TYPE_UNCONFIRMED_SERVICE_REQUEST) {
+            return BACNET_STATUS_ERROR;
+        }
+        if (apdu[1] != SERVICE_UNCONFIRMED_WHO_IS) {
+            return BACNET_STATUS_ERROR;
+        }
        len =
            whois_decode_service_request(&apdu[2], apdu_len - 2, pLow_limit,
            pHigh_limit);
@@ -140,35 +167,55 @@ void testWhoIs(
    int apdu_len = 0;
    int32_t low_limit = -1;
    int32_t high_limit = -1;
-    int32_t test_low_limit = -1;
-    int32_t test_high_limit = -1;
+    int32_t test_low_limit = 0;
+    int32_t test_high_limit = 0;

+    /* normal who-is without limits */
    len = whois_encode_apdu(&apdu[0], low_limit, high_limit);
-    ct_test(pTest, len != 0);
+    ct_test(pTest, len > 0);
    apdu_len = len;

    len =
        whois_decode_apdu(&apdu[0], apdu_len, &test_low_limit,
        &test_high_limit);
-    ct_test(pTest, len != -1);
+    ct_test(pTest, len != BACNET_STATUS_ERROR);
    ct_test(pTest, test_low_limit == low_limit);
    ct_test(pTest, test_high_limit == high_limit);

+    /* normal who-is with limits - complete range */
    for (low_limit = 0; low_limit <= BACNET_MAX_INSTANCE;
        low_limit += (BACNET_MAX_INSTANCE / 4)) {
        for (high_limit = 0; high_limit <= BACNET_MAX_INSTANCE;
            high_limit += (BACNET_MAX_INSTANCE / 4)) {
            len = whois_encode_apdu(&apdu[0], low_limit, high_limit);
            apdu_len = len;
-            ct_test(pTest, len != 0);
+            ct_test(pTest, len > 0);
            len =
                whois_decode_apdu(&apdu[0], apdu_len, &test_low_limit,
                &test_high_limit);
-            ct_test(pTest, len != -1);
+            ct_test(pTest, len != BACNET_STATUS_ERROR);
            ct_test(pTest, test_low_limit == low_limit);
            ct_test(pTest, test_high_limit == high_limit);
        }
    }
+    /* abnormal case:
+       who-is with no limits, but with APDU containing 2 limits */
+    low_limit = 0;
+    high_limit = 0;
+    len = whois_encode_apdu(&apdu[0], low_limit, high_limit);
+    ct_test(pTest, len > 0);
+    apdu_len = len;
+    low_limit = -1;
+    high_limit = -1;
+    len = whois_encode_apdu(&apdu[0], low_limit, high_limit);
+    ct_test(pTest, len > 0);
+    apdu_len = len;
+    len =
+        whois_decode_apdu(&apdu[0], apdu_len, &test_low_limit,
+        &test_high_limit);
+    ct_test(pTest, len != BACNET_STATUS_ERROR);
+    ct_test(pTest, test_low_limit == low_limit);
+    ct_test(pTest, test_high_limit == high_limit);
 }

 #ifdef TEST_WHOIS