Fix bacdevobjpropref module decode buffer overflow reads (#541)

Co-authored-by: Steve Karg <skarg@users.sourceforge.net>
2023-11-29 15:44:58 -06:00
parent 241cd2994f
commit 9780f52640
7 changed files with 645 additions and 448 deletions
@@ -1024,13 +1024,12 @@ int event_notify_decode_service_request(

                        case EVENT_BUFFER_READY:
                            /* Tag 0 - bufferProperty */
-                            if (-1 ==
-                                (section_length =
-                                        bacapp_decode_context_device_obj_property_ref(
-                                            &apdu[len], 0,
-                                            &data->notificationParams
-                                                 .bufferReady
-                                                 .bufferProperty))) {
+                            section_length =
+                                bacnet_device_object_property_reference_context_decode(
+                                    &apdu[len], apdu_len - len, 0,
+                                    &data->notificationParams.bufferReady
+                                         .bufferProperty);
+                            if (section_length <= 0) {
                                return -1;
                            }
                            len += section_length;