dali/bacnet_stack
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix bacdevobjpropref module decode buffer overflow reads (#541)

Browse Source 
Co-authored-by: Steve Karg <skarg@users.sourceforge.net>
This commit is contained in:
Steve Karg
2023-11-29 15:44:58 -06:00
committed by GitHub
parent 241cd2994f
commit 9780f52640
7 changed files with 645 additions and 448 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/bacnet/bacdevobjpropref.c
+386 -237
View File
@@ -47,10 +47,9 @@
* Add an opening tag, encode the property and finally
* add a closing tag as well.
*
* @param apdu Pointer to the buffer to encode to.
* @param tag_number Tag number.
* @param value Pointer to the object property reference,
* used for encoding.
* @param apdu Pointer to the encode buffer, or NULL for length
* @param tag_number Tag number.
* @param value Pointer to the object property reference, used for encoding.
*
* @return Bytes encoded or 0 on failure.
*/
@@ -62,13 +61,17 @@ int bacapp_encode_context_device_obj_property_ref(uint8_t *apdu,
int apdu_len = 0;
if (value) {
len = encode_opening_tag(&apdu[apdu_len], tag_number);
len = encode_opening_tag(apdu, tag_number);
apdu_len += len;
len = bacapp_encode_device_obj_property_ref(&apdu[apdu_len], value);
if (apdu) {
apdu += len;
}
len = bacapp_encode_device_obj_property_ref(apdu, value);
apdu_len += len;
len = encode_closing_tag(&apdu[apdu_len], tag_number);
if (apdu) {
apdu += len;
}
len = encode_closing_tag(apdu, tag_number);
apdu_len += len;
}
@@ -88,7 +91,7 @@ int bacapp_encode_context_device_obj_property_ref(uint8_t *apdu,
* device-identifier [3] BACnetObjectIdentifier OPTIONAL
* }
*
* @param apdu Pointer to the buffer to encode to.
* @param apdu Pointer to the encode buffer, or NULL for length
* @param value Pointer to the object property reference,
* used for encoding.
*
@@ -104,15 +107,14 @@ int bacapp_encode_device_obj_property_ref(
return apdu_len;
}
/* object-identifier [0] BACnetObjectIdentifier */
len = encode_context_object_id(apdu, 0,
value->objectIdentifier.type, value->objectIdentifier.instance);
len = encode_context_object_id(apdu, 0, value->objectIdentifier.type,
value->objectIdentifier.instance);
apdu_len += len;
if (apdu) {
apdu += len;
}
/* property-identifier [1] BACnetPropertyIdentifier */
len = encode_context_enumerated(
apdu, 1, value->propertyIdentifier);
len = encode_context_enumerated(apdu, 1, value->propertyIdentifier);
apdu_len += len;
if (apdu) {
apdu += len;
@@ -131,14 +133,159 @@ int bacapp_encode_device_obj_property_ref(
* (set type to BACNET_NO_DEV_TYPE or something other than OBJECT_DEVICE to
* omit */
if (value->deviceIdentifier.type == OBJECT_DEVICE) {
len = encode_context_object_id(apdu, 3,
value->deviceIdentifier.type, value->deviceIdentifier.instance);
len = encode_context_object_id(apdu, 3, value->deviceIdentifier.type,
value->deviceIdentifier.instance);
apdu_len += len;
}
return apdu_len;
}
/**
* Decode a property reference of a device object.
*
* BACnetDeviceObjectPropertyReference ::= SEQUENCE {
* object-identifier [0] BACnetObjectIdentifier,
* property-identifier [1] BACnetPropertyIdentifier,
* property-array-index [2] Unsigned OPTIONAL,
* -- used only with array datatype
* -- if omitted with an array then
* -- the entire array is referenced
* device-identifier [3] BACnetObjectIdentifier OPTIONAL
* }
*
* @param apdu Pointer to the buffer containing the encoded value
* @param apdu_size Size of the buffer containing the encoded value
* @param value Pointer to the structure which contains the decoded value
*
* @return number of bytes decoded or BACNET_STATUS_ERROR on failure.
*/
int bacnet_device_object_property_reference_decode(uint8_t *apdu,
uint32_t apdu_size,
BACNET_DEVICE_OBJECT_PROPERTY_REFERENCE *value)
{
int apdu_len = 0;
int len = 0;
BACNET_UNSIGNED_INTEGER array_index = 0;
BACNET_OBJECT_TYPE object_type = 0;
uint32_t object_instance = 0;
uint32_t property_identifier = 0;
if (!apdu) {
return BACNET_STATUS_ERROR;
}
/* object-identifier [0] BACnetObjectIdentifier */
len = bacnet_object_id_context_decode(&apdu[apdu_len], apdu_size - apdu_len,
0, &object_type, &object_instance);
if (len > 0) {
apdu_len += len;
if (value) {
value->objectIdentifier.instance = object_instance;
value->objectIdentifier.type = object_type;
}
} else {
return BACNET_STATUS_ERROR;
}
/* property-identifier [1] BACnetPropertyIdentifier */
len = bacnet_enumerated_context_decode(
&apdu[apdu_len], apdu_size - apdu_len, 1, &property_identifier);
if (len > 0) {
apdu_len += len;
if (value) {
value->propertyIdentifier = property_identifier;
}
} else {
return BACNET_STATUS_ERROR;
}
/* property-array-index [2] Unsigned OPTIONAL */
if (bacnet_is_context_tag_number(
&apdu[apdu_len], apdu_size - apdu_len, 2, NULL)) {
len = bacnet_unsigned_context_decode(
&apdu[apdu_len], apdu_size - apdu_len, 2, &array_index);
if (len > 0) {
apdu_len += len;
if (value) {
value->arrayIndex = array_index;
}
} else {
return BACNET_STATUS_ERROR;
}
} else {
/* OPTIONAL - skip apdu_len increment */
if (value) {
value->arrayIndex = BACNET_ARRAY_ALL;
}
}
/* device-identifier [3] BACnetObjectIdentifier OPTIONAL */
if (bacnet_is_context_tag_number(
&apdu[apdu_len], apdu_size - apdu_len, 3, NULL)) {
len = bacnet_object_id_context_decode(&apdu[apdu_len],
apdu_size - apdu_len, 3, &object_type, &object_instance);
if (len > 0) {
apdu_len += len;
if (value) {
value->deviceIdentifier.type = object_type;
value->deviceIdentifier.instance = object_instance;
}
} else {
return BACNET_STATUS_ERROR;
}
} else {
/* OPTIONAL - skip apdu_len increment */
if (value) {
value->deviceIdentifier.type = BACNET_NO_DEV_TYPE;
value->deviceIdentifier.instance = BACNET_NO_DEV_ID;
}
}
return apdu_len;
}
/**
* Decode the opening tag and the property reference of
* an device object and check for the closing tag as well.
*
* @param apdu Pointer to the buffer containing the encoded value
* @param apdu_size Size of the buffer containing the encoded value
* @param tag_number Tag number
* @param value Pointer to the structure which contains the decoded value
*
* @return number of bytes decoded or BACNET_STATUS_ERROR on failure.
*/
int bacnet_device_object_property_reference_context_decode(uint8_t *apdu,
uint32_t apdu_size,
uint8_t tag_number,
BACNET_DEVICE_OBJECT_PROPERTY_REFERENCE *value)
{
int apdu_len = 0;
int len = 0;
if (!apdu) {
return BACNET_STATUS_ERROR;
}
if (bacnet_is_opening_tag_number(
&apdu[apdu_len], apdu_size - apdu_len, tag_number, &len)) {
apdu_len += len;
len = bacnet_device_object_property_reference_decode(
&apdu[apdu_len], apdu_size - apdu_len, value);
if (len > 0) {
apdu_len += len;
if (bacnet_is_closing_tag_number(
&apdu[apdu_len], apdu_size - apdu_len, tag_number, &len)) {
apdu_len += len;
} else {
return BACNET_STATUS_ERROR;
}
} else {
return BACNET_STATUS_ERROR;
}
} else {
return BACNET_STATUS_ERROR;
}
return apdu_len;
}
/**
* Decode a property reference of a device object.
*
@@ -157,55 +304,13 @@ int bacapp_encode_device_obj_property_ref(
* used to decode the data into.
*
* @return Bytes decoded or BACNET_STATUS_ERROR on failure.
* @deprecated Use bacnet_device_object_property_reference_decode() instead
*/
int bacapp_decode_device_obj_property_ref(
uint8_t *apdu, BACNET_DEVICE_OBJECT_PROPERTY_REFERENCE *value)
{
int len;
int apdu_len = 0;
uint32_t enumValue = 0;
/* object-identifier [0] BACnetObjectIdentifier */
len = decode_context_object_id(&apdu[apdu_len], 0,
&value->objectIdentifier.type, &value->objectIdentifier.instance);
if (len == BACNET_STATUS_ERROR) {
return BACNET_STATUS_ERROR;
}
apdu_len += len;
/* property-identifier [1] BACnetPropertyIdentifier */
len = decode_context_enumerated(&apdu[apdu_len], 1, &enumValue);
if (len == BACNET_STATUS_ERROR) {
return BACNET_STATUS_ERROR;
}
value->propertyIdentifier = (BACNET_PROPERTY_ID)enumValue;
apdu_len += len;
/* property-array-index [2] Unsigned OPTIONAL */
if (decode_is_context_tag(&apdu[apdu_len], 2) &&
!decode_is_closing_tag(&apdu[apdu_len])) {
len = decode_context_unsigned(&apdu[apdu_len], 2, &value->arrayIndex);
if (len == BACNET_STATUS_ERROR) {
return BACNET_STATUS_ERROR;
}
apdu_len += len;
} else {
value->arrayIndex = BACNET_ARRAY_ALL;
}
/* device-identifier [3] BACnetObjectIdentifier OPTIONAL */
if (decode_is_context_tag(&apdu[apdu_len], 3) &&
!decode_is_closing_tag(&apdu[apdu_len])) {
if (-1 ==
(len = decode_context_object_id(&apdu[apdu_len], 3,
&value->deviceIdentifier.type,
&value->deviceIdentifier.instance))) {
return -1;
}
apdu_len += len;
} else {
value->deviceIdentifier.type = BACNET_NO_DEV_TYPE;
value->deviceIdentifier.instance = BACNET_NO_DEV_ID;
}
return apdu_len;
return bacnet_device_object_property_reference_decode(
apdu, MAX_APDU, value);
}
/**
@@ -218,32 +323,15 @@ int bacapp_decode_device_obj_property_ref(
* used to decode the data into.
*
* @return Bytes decoded or BACNET_STATUS_ERROR on failure.
* @deprecated Use bacnet_device_object_property_reference_context_decode()
* instead
*/
int bacapp_decode_context_device_obj_property_ref(uint8_t *apdu,
uint8_t tag_number,
BACNET_DEVICE_OBJECT_PROPERTY_REFERENCE *value)
{
int len = 0;
int section_length;
if (decode_is_opening_tag_number(&apdu[len], tag_number)) {
len++;
section_length =
bacapp_decode_device_obj_property_ref(&apdu[len], value);
if (section_length == BACNET_STATUS_ERROR) {
len = BACNET_STATUS_ERROR;
} else {
len += section_length;
if (decode_is_closing_tag_number(&apdu[len], tag_number)) {
len++;
} else {
len = BACNET_STATUS_ERROR;
}
}
} else {
len = BACNET_STATUS_ERROR;
}
return len;
return bacnet_device_object_property_reference_context_decode(
apdu, MAX_APDU, tag_number, value);
}
/**
@@ -251,14 +339,13 @@ int bacapp_decode_context_device_obj_property_ref(uint8_t *apdu,
* and finally for the closing tag as well.
*
* BACnetDeviceObjectReference ::= SEQUENCE {
* device-identifier [0] BACnetObjectIdentifier OPTIONAL,
* object-identifier [1] BACnetObjectIdentifier
* device-identifier [0] BACnetObjectIdentifier OPTIONAL,
* object-identifier [1] BACnetObjectIdentifier
* }
*
* @param apdu Pointer to the buffer used for encoding.
* @param tag_number Tag number
* @param value Pointer to the device object reference,
* used to encode.
* @param apdu Pointer to the encode buffer, or NULL for length
* @param tag_number Tag number
* @param value Pointer to the device object reference, used to encode.
*
* @return Bytes encoded or 0 on failure.
*/
@@ -269,13 +356,17 @@ int bacapp_encode_context_device_obj_ref(
int apdu_len = 0;
if (value) {
len = encode_opening_tag(&apdu[apdu_len], tag_number);
len = encode_opening_tag(apdu, tag_number);
apdu_len += len;
len = bacapp_encode_device_obj_ref(&apdu[apdu_len], value);
if (apdu) {
apdu += len;
}
len = bacapp_encode_device_obj_ref(apdu, value);
apdu_len += len;
len = encode_closing_tag(&apdu[apdu_len], tag_number);
if (apdu) {
apdu += len;
}
len = encode_closing_tag(apdu, tag_number);
apdu_len += len;
}
@@ -286,13 +377,12 @@ int bacapp_encode_context_device_obj_ref(
* Encode the device object reference.
*
* BACnetDeviceObjectReference ::= SEQUENCE {
* device-identifier [0] BACnetObjectIdentifier OPTIONAL,
* object-identifier [1] BACnetObjectIdentifier
* device-identifier [0] BACnetObjectIdentifier OPTIONAL,
* object-identifier [1] BACnetObjectIdentifier
* }
*
* @param apdu Pointer to the buffer used for encoding.
* @param value Pointer to the device object reference,
* used to encode.
* @param apdu Pointer to the encode buffer, or NULL for length
* @param value Pointer to the device object reference, used to encode.
*
* @return Bytes encoded or 0 on failure.
*/
@@ -302,19 +392,129 @@ int bacapp_encode_device_obj_ref(
int len;
int apdu_len = 0;
/* device-identifier [0] BACnetObjectIdentifier OPTIONAL */
/* Device id is optional so see if needed
* (set type to BACNET_NO_DEV_TYPE or something other than OBJECT_DEVICE to
* omit */
if (value->deviceIdentifier.type == OBJECT_DEVICE) {
len = encode_context_object_id(&apdu[apdu_len], 0,
value->deviceIdentifier.type, value->deviceIdentifier.instance);
if (value) {
/* device-identifier [0] BACnetObjectIdentifier OPTIONAL */
/* Device id is optional so determine if needed and
set type to BACNET_NO_DEV_TYPE or something other
than OBJECT_DEVICE to omit */
if (value->deviceIdentifier.type == OBJECT_DEVICE) {
len = encode_context_object_id(apdu, 0,
value->deviceIdentifier.type, value->deviceIdentifier.instance);
apdu_len += len;
if (apdu) {
apdu += len;
}
}
/* object-identifier [1] BACnetObjectIdentifier */
len = encode_context_object_id(apdu, 1, value->objectIdentifier.type,
value->objectIdentifier.instance);
apdu_len += len;
}
return apdu_len;
}
/**
* Decode the device object reference.
*
* BACnetDeviceObjectReference ::= SEQUENCE {
* device-identifier [0] BACnetObjectIdentifier OPTIONAL,
* object-identifier [1] BACnetObjectIdentifier
* }
*
* @param apdu Pointer to the buffer containing the encoded value
* @param apdu_size Size of the buffer containing the encoded value
* @param value Pointer to the structure containing the decoded value
*
* @return number of bytes decoded or BACNET_STATUS_ERROR on failure.
*/
int bacnet_device_object_reference_decode(
uint8_t *apdu, uint32_t apdu_size, BACNET_DEVICE_OBJECT_REFERENCE *value)
{
int len;
int apdu_len = 0;
BACNET_OBJECT_TYPE object_type = 0;
uint32_t object_instance = 0;
if (!apdu) {
return BACNET_STATUS_ERROR;
}
/* device-identifier [0] BACnetObjectIdentifier OPTIONAL */
if (bacnet_is_context_tag_number(
&apdu[apdu_len], apdu_size - apdu_len, 0, NULL)) {
len = bacnet_object_id_context_decode(&apdu[apdu_len],
apdu_size - apdu_len, 0, &object_type, &object_instance);
if (len > 0) {
apdu_len += len;
if (value) {
value->deviceIdentifier.instance = object_instance;
value->deviceIdentifier.type = object_type;
}
} else {
return BACNET_STATUS_ERROR;
}
} else {
/* OPTIONAL - skip apdu_len increment */
value->deviceIdentifier.type = BACNET_NO_DEV_TYPE;
value->deviceIdentifier.instance = BACNET_NO_DEV_ID;
}
/* object-identifier [1] BACnetObjectIdentifier */
len = encode_context_object_id(&apdu[apdu_len], 1,
value->objectIdentifier.type, value->objectIdentifier.instance);
apdu_len += len;
len = bacnet_object_id_context_decode(&apdu[apdu_len], apdu_size - apdu_len,
1, &object_type, &object_instance);
if (len > 0) {
apdu_len += len;
if (value) {
value->objectIdentifier.instance = object_instance;
value->objectIdentifier.type = object_type;
}
} else {
return BACNET_STATUS_ERROR;
}
return apdu_len;
}
/**
* Decode the context device object reference. Check for
* an opening tag and a closing tag as well.
*
* @param apdu Pointer to the buffer containing the encoded value
* @param apdu_size Size of the buffer containing the encoded value
* @param tag_number Tag number
* @param value Pointer to the structure containing the decoded value
*
* @return number of bytes decoded or BACNET_STATUS_ERROR on failure.
*/
int bacnet_device_object_reference_context_decode(uint8_t *apdu,
uint32_t apdu_size,
uint8_t tag_number,
BACNET_DEVICE_OBJECT_REFERENCE *value)
{
int apdu_len = 0;
int len = 0;
if (!apdu) {
return BACNET_STATUS_ERROR;
}
if (bacnet_is_opening_tag_number(
&apdu[apdu_len], apdu_size - apdu_len, tag_number, &len)) {
apdu_len += len;
len = bacnet_device_object_reference_decode(
&apdu[apdu_len], apdu_size - apdu_len, value);
if (len > 0) {
apdu_len += len;
if (bacnet_is_closing_tag_number(
&apdu[apdu_len], apdu_size - apdu_len, tag_number, &len)) {
apdu_len += len;
} else {
return BACNET_STATUS_ERROR;
}
} else {
return BACNET_STATUS_ERROR;
}
} else {
return BACNET_STATUS_ERROR;
}
return apdu_len;
}
@@ -332,35 +532,12 @@ int bacapp_encode_device_obj_ref(
* that shall be decoded.
*
* @return Bytes decoded or BACNET_STATUS_ERROR on failure.
* @deprecated Use bacnet_device_object_reference_decode() instead.
*/
int bacapp_decode_device_obj_ref(
uint8_t *apdu, BACNET_DEVICE_OBJECT_REFERENCE *value)
{
int len;
int apdu_len = 0;
/* device-identifier [0] BACnetObjectIdentifier OPTIONAL */
if (decode_is_context_tag(&apdu[apdu_len], 0) &&
!decode_is_closing_tag(&apdu[apdu_len])) {
len = decode_context_object_id(&apdu[apdu_len], 0,
&value->deviceIdentifier.type, &value->deviceIdentifier.instance);
if (len == BACNET_STATUS_ERROR) {
return BACNET_STATUS_ERROR;
}
apdu_len += len;
} else {
value->deviceIdentifier.type = BACNET_NO_DEV_TYPE;
value->deviceIdentifier.instance = BACNET_NO_DEV_ID;
}
/* object-identifier [1] BACnetObjectIdentifier */
len = decode_context_object_id(&apdu[apdu_len], 1,
&value->objectIdentifier.type, &value->objectIdentifier.instance);
if (len == BACNET_STATUS_ERROR) {
return BACNET_STATUS_ERROR;
}
apdu_len += len;
return apdu_len;
return bacnet_device_object_reference_decode(apdu, MAX_APDU, value);
}
/**
@@ -373,30 +550,13 @@ int bacapp_decode_device_obj_ref(
* that shall be decoded.
*
* @return Bytes decoded or BACNET_STATUS_ERROR on failure.
* @deprecated Use bacnet_device_object_reference_context_decode() instead.
*/
int bacapp_decode_context_device_obj_ref(
uint8_t *apdu, uint8_t tag_number, BACNET_DEVICE_OBJECT_REFERENCE *value)
{
int len = 0;
int section_length;
if (decode_is_opening_tag_number(&apdu[len], tag_number)) {
len++;
section_length = bacapp_decode_device_obj_ref(&apdu[len], value);
if (section_length == BACNET_STATUS_ERROR) {
len = BACNET_STATUS_ERROR;
} else {
len += section_length;
if (decode_is_closing_tag_number(&apdu[len], tag_number)) {
len++;
} else {
len = BACNET_STATUS_ERROR;
}
}
} else {
len = BACNET_STATUS_ERROR;
}
return len;
return bacnet_device_object_reference_context_decode(
apdu, MAX_APDU, tag_number, value);
}
/**
@@ -418,7 +578,6 @@ int bacapp_encode_obj_property_ref(
uint8_t *apdu, BACNET_OBJECT_PROPERTY_REFERENCE *reference)
{
int len = 0;
uint8_t *apdu_offset = NULL;
int apdu_len = 0;
if (!reference) {
@@ -427,25 +586,19 @@ int bacapp_encode_obj_property_ref(
if (reference->object_identifier.type == OBJECT_NONE) {
return 0;
}
if (apdu) {
apdu_offset = apdu;
}
len = encode_context_object_id(apdu_offset, 0,
reference->object_identifier.type,
len = encode_context_object_id(apdu, 0, reference->object_identifier.type,
reference->object_identifier.instance);
apdu_len += len;
if (apdu) {
apdu_offset = &apdu[apdu_len];
apdu += len;
}
len = encode_context_enumerated(
apdu_offset, 1, reference->property_identifier);
len = encode_context_enumerated(apdu, 1, reference->property_identifier);
apdu_len += len;
if (apdu) {
apdu_offset = &apdu[apdu_len];
apdu += len;
}
if (reference->property_array_index != BACNET_ARRAY_ALL) {
len = encode_context_unsigned(
apdu_offset, 2, reference->property_array_index);
len = encode_context_unsigned(apdu, 2, reference->property_array_index);
apdu_len += len;
}
@@ -465,25 +618,21 @@ int bacapp_encode_context_obj_property_ref(uint8_t *apdu,
{
int len = 0;
int apdu_len = 0;
uint8_t *apdu_offset = NULL;
if (reference && (reference->object_identifier.type == OBJECT_NONE)) {
return 0;
}
if (apdu) {
apdu_offset = apdu;
}
len = encode_opening_tag(apdu_offset, tag_number);
len = encode_opening_tag(apdu, tag_number);
apdu_len += len;
if (apdu) {
apdu_offset = &apdu[apdu_len];
apdu += len;
}
len = bacapp_encode_obj_property_ref(apdu_offset, reference);
len = bacapp_encode_obj_property_ref(apdu, reference);
apdu_len += len;
if (apdu) {
apdu_offset = &apdu[apdu_len];
apdu += len;
}
len = encode_closing_tag(apdu_offset, tag_number);
len = encode_closing_tag(apdu, tag_number);
apdu_len += len;
return apdu_len;
@@ -500,13 +649,13 @@ int bacapp_encode_context_obj_property_ref(uint8_t *apdu,
* -- if omitted with an array the entire array is referenced
* }
*
* @param apdu - the APDU buffer
* @param apdu_len_max - the APDU buffer length
* @param apdu Pointer to the buffer containing the encoded value
* @param apdu_size Size of the buffer containing the encoded value
* @param reference - BACnetObjectPropertyReference to decode into
* @return length of the APDU buffer decoded, or 0 if failed to decode
* @return number of bytes decoded or BACNET_STATUS_ERROR on failure.
*/
int bacapp_decode_obj_property_ref(uint8_t *apdu,
uint16_t apdu_len_max,
uint16_t apdu_size,
BACNET_OBJECT_PROPERTY_REFERENCE *reference)
{
int apdu_len = 0;
@@ -515,48 +664,51 @@ int bacapp_decode_obj_property_ref(uint8_t *apdu,
uint32_t property_identifier;
BACNET_UNSIGNED_INTEGER unsigned_value;
if (apdu && (apdu_len_max > 0)) {
/* object-identifier [0] BACnetObjectIdentifier */
len = bacnet_object_id_context_decode(&apdu[apdu_len],
apdu_len_max - apdu_len, 0, &object_identifier.type,
&object_identifier.instance);
if (!apdu) {
return BACNET_STATUS_ERROR;
}
/* object-identifier [0] BACnetObjectIdentifier */
len = bacnet_object_id_context_decode(&apdu[apdu_len], apdu_size - apdu_len,
0, &object_identifier.type, &object_identifier.instance);
if (len > 0) {
apdu_len += len;
} else if (len <= 0) {
return BACNET_STATUS_ERROR;
}
/* property-identifier [1] BACnetPropertyIdentifier */
len = bacnet_enumerated_context_decode(
&apdu[apdu_len], apdu_size - apdu_len, 1, &property_identifier);
if (len > 0) {
apdu_len += len;
} else if (len <= 0) {
return BACNET_STATUS_ERROR;
}
if (reference) {
reference->object_identifier.type = object_identifier.type;
reference->object_identifier.instance = object_identifier.instance;
reference->property_identifier =
(BACNET_PROPERTY_ID)property_identifier;
}
/* property-array-index [2] Unsigned OPTIONAL */
if (bacnet_is_opening_tag_number(
&apdu[apdu_len], apdu_size - apdu_len, 2, NULL)) {
len = bacnet_unsigned_context_decode(
&apdu[apdu_len], apdu_size - apdu_len, 2, &unsigned_value);
if (len > 0) {
apdu_len += len;
} else if (len <= 0) {
return 0;
}
/* property-identifier [1] BACnetPropertyIdentifier */
len = bacnet_enumerated_context_decode(
&apdu[apdu_len], apdu_len_max - apdu_len, 1, &property_identifier);
if (len > 0) {
apdu_len += len;
} else if (len <= 0) {
return 0;
}
if (reference) {
reference->object_identifier.type = object_identifier.type;
reference->object_identifier.instance = object_identifier.instance;
reference->property_identifier =
(BACNET_PROPERTY_ID)property_identifier;
reference->property_array_index = BACNET_ARRAY_ALL;
}
/* property-array-index [2] Unsigned OPTIONAL */
if (apdu_len_max > apdu_len) {
if (decode_is_context_tag(&apdu[apdu_len], 2)) {
len = bacnet_unsigned_context_decode(&apdu[apdu_len],
apdu_len_max - apdu_len, 2, &unsigned_value);
if (len > 0) {
apdu_len += len;
if (unsigned_value > UINT32_MAX) {
return 0;
}
if (reference) {
reference->property_array_index = unsigned_value;
}
} else if (len <= 0) {
return 0;
}
if (unsigned_value > UINT32_MAX) {
return BACNET_STATUS_ERROR;
}
if (reference) {
reference->property_array_index = unsigned_value;
}
} else {
return BACNET_STATUS_ERROR;
}
} else {
/* OPTIONAL - skip apdu_len increment */
if (reference) {
reference->property_array_index = BACNET_ARRAY_ALL;
}
}
@@ -567,42 +719,39 @@ int bacapp_decode_obj_property_ref(uint8_t *apdu,
* Decode the context object property reference. Check for
* an opening tag and a closing tag as well.
*
* @param apdu Pointer to the buffer containing the data to decode.
* @param apdu_len_max - the APDU buffer length
* @param apdu Pointer to the buffer containing the encoded value
* @param apdu_size Size of the buffer containing the encoded value
* @param tag_number Tag number
* @param value Pointer to the context device object reference,
* that shall be decoded.
* @param value Pointer to the structure that shall be decoded into.
*
* @return Bytes decoded or BACNET_STATUS_ERROR on failure.
* @return number of bytes decoded or BACNET_STATUS_ERROR on failure.
*/
int bacapp_decode_context_obj_property_ref(uint8_t *apdu,
uint16_t apdu_len_max,
uint16_t apdu_size,
uint8_t tag_number,
BACNET_OBJECT_PROPERTY_REFERENCE *value)
{
int len = 0;
int apdu_len = 0;
if (apdu_len_max == 0) {
if (!apdu) {
return BACNET_STATUS_ERROR;
}
if (decode_is_opening_tag_number(&apdu[apdu_len], tag_number)) {
apdu_len++;
} else {
if (!bacnet_is_opening_tag_number(
&apdu[apdu_len], apdu_size - apdu_len, tag_number, &len)) {
return BACNET_STATUS_ERROR;
}
apdu_len += len;
len = bacapp_decode_obj_property_ref(
&apdu[apdu_len], apdu_len_max - apdu_len, value);
if (len == 0) {
return BACNET_STATUS_ERROR;
} else {
&apdu[apdu_len], apdu_size - apdu_len, value);
if (len > 0) {
apdu_len += len;
}
if ((apdu_len_max - apdu_len) == 0) {
return BACNET_STATUS_ERROR;
}
if (decode_is_closing_tag_number(&apdu[apdu_len], tag_number)) {
apdu_len++;
if (bacnet_is_closing_tag_number(
&apdu[apdu_len], apdu_size - apdu_len, tag_number, &len)) {
apdu_len += len;
} else {
return BACNET_STATUS_ERROR;
}
} else {
return BACNET_STATUS_ERROR;
}