Fix bacdevobjpropref module decode buffer overflow reads (#541)

Co-authored-by: Steve Karg <skarg@users.sourceforge.net>
2023-11-29 15:44:58 -06:00
parent 241cd2994f
commit 9780f52640
7 changed files with 645 additions and 448 deletions
@@ -337,8 +337,9 @@ int bacapp_decode_data(uint8_t *apdu,
                break;
            case BACNET_APPLICATION_TAG_DEVICE_OBJECT_PROPERTY_REFERENCE:
                /* BACnetDeviceObjectPropertyReference */
-                len = bacapp_decode_device_obj_property_ref(
-                    apdu, &value->type.Device_Object_Property_Reference);
+                len = bacnet_device_object_property_reference_decode(
+                    apdu, len_value_type, 
+                    &value->type.Device_Object_Property_Reference);
                break;
            case BACNET_APPLICATION_TAG_DEVICE_OBJECT_REFERENCE:
                /* BACnetDeviceObjectReference */
@@ -1264,8 +1265,9 @@ int bacapp_decode_known_property(uint8_t *apdu,
        case PROP_LOG_DEVICE_OBJECT_PROPERTY:
        case PROP_LIST_OF_OBJECT_PROPERTY_REFERENCES:
            /* Properties using BACnetDeviceObjectPropertyReference */
-            len = bacapp_decode_device_obj_property_ref(
-                apdu, &value->type.Device_Object_Property_Reference);
+            len = bacnet_device_object_property_reference_decode(
+                apdu, max_apdu_len, 
+                &value->type.Device_Object_Property_Reference);
            break;

        case PROP_MANIPULATED_VARIABLE_REFERENCE: