Fix bacdevobjpropref module decode buffer overflow reads (#541)

Co-authored-by: Steve Karg <skarg@users.sourceforge.net>
2023-11-29 15:44:58 -06:00
parent 241cd2994f
commit 9780f52640
7 changed files with 645 additions and 448 deletions
@@ -1,13 +1,15 @@
-/*
- * Copyright (c) 2020 Legrand North America, LLC.
+/**
+ * @file
+ * @brief Unit test for BACnetObjectPropertyReference and
+ * BACnetDeviceObjectReference and BACnetDeviceObjectPropertyReference encode
+ * and decode API
+ * @author Steve Karg <skarg@users.sourceforge.net>
+ * @date November 2023
+ * @section LICENSE
 *
 * SPDX-License-Identifier: MIT
 */

-/* @file
- * @brief test BACnet integer encode/decode APIs
- */
-
 #include <zephyr/ztest.h>
 #include <bacnet/bacdcode.h>
 #include <bacnet/bacdevobjpropref.h>
@@ -20,42 +22,63 @@
 /**
 * @brief Test
 */
-static void testDevObjPropRef(
-    BACNET_DEVICE_OBJECT_PROPERTY_REFERENCE *inData)
+static void testDevObjPropRef(BACNET_DEVICE_OBJECT_PROPERTY_REFERENCE *data)
 {
-    BACNET_DEVICE_OBJECT_PROPERTY_REFERENCE outData;
-    uint8_t buffer[MAX_APDU] = { 0 };
-    int inLen = 0;
-    int outLen = 0;
+    BACNET_DEVICE_OBJECT_PROPERTY_REFERENCE test_data;
+    uint8_t apdu[MAX_APDU] = { 0 };
+    int len = 0;
+    int test_len = 0;
+    int null_len = 0;

    /* encode */
-    inLen = bacapp_encode_device_obj_property_ref(buffer, inData);
-    /* add a closing tag at the end of the buffer to verify proper handling
+    null_len = bacapp_encode_device_obj_property_ref(NULL, data);
+    len = bacapp_encode_device_obj_property_ref(apdu, data);
+    zassert_equal(null_len, len, "null_len=%d len=%d", null_len, len);
+    /* add a closing tag at the end of the apdu to verify proper handling
       when that is encountered in real packets */
-    encode_closing_tag(&buffer[inLen], 3);
+    encode_closing_tag(&apdu[len], 3);
    /* decode */
-    outLen = bacapp_decode_device_obj_property_ref(buffer, &outData);
-    zassert_equal(outLen, inLen, NULL);
+    null_len = bacnet_device_object_property_reference_decode(apdu, len, NULL);
+    test_len =
+        bacnet_device_object_property_reference_decode(apdu, len, &test_data);
+    zassert_equal(null_len, len, "null_len=%d len=%d", null_len, len);
+    zassert_equal(test_len, len, "test_len=%d len=%d", test_len, len);
+    zassert_equal(data->objectIdentifier.instance,
+        test_data.objectIdentifier.instance, NULL);
    zassert_equal(
-        inData->objectIdentifier.instance, outData.objectIdentifier.instance, NULL);
-    zassert_equal(
-        inData->objectIdentifier.type, outData.objectIdentifier.type, NULL);
-    zassert_equal(inData->propertyIdentifier, outData.propertyIdentifier, NULL);
-    if (inData->arrayIndex != BACNET_ARRAY_ALL) {
-        zassert_equal(inData->arrayIndex, outData.arrayIndex, NULL);
+        data->objectIdentifier.type, test_data.objectIdentifier.type, NULL);
+    zassert_equal(data->propertyIdentifier, test_data.propertyIdentifier, NULL);
+    if (data->arrayIndex != BACNET_ARRAY_ALL) {
+        zassert_equal(data->arrayIndex, test_data.arrayIndex, NULL);
    } else {
-        zassert_equal(outData.arrayIndex, BACNET_ARRAY_ALL, NULL);
+        zassert_equal(test_data.arrayIndex, BACNET_ARRAY_ALL, NULL);
    }
-    if (inData->deviceIdentifier.type == OBJECT_DEVICE) {
+    if (data->deviceIdentifier.type == OBJECT_DEVICE) {
+        zassert_equal(data->deviceIdentifier.instance,
+            test_data.deviceIdentifier.instance, NULL);
        zassert_equal(
-            inData->deviceIdentifier.instance,
-                outData.deviceIdentifier.instance, NULL);
-        zassert_equal(
-            inData->deviceIdentifier.type, outData.deviceIdentifier.type, NULL);
+            data->deviceIdentifier.type, test_data.deviceIdentifier.type, NULL);
    } else {
-        zassert_equal(outData.deviceIdentifier.instance, BACNET_NO_DEV_ID, NULL);
-        zassert_equal(outData.deviceIdentifier.type, BACNET_NO_DEV_TYPE, NULL);
+        zassert_equal(
+            test_data.deviceIdentifier.instance, BACNET_NO_DEV_ID, NULL);
+        zassert_equal(
+            test_data.deviceIdentifier.type, BACNET_NO_DEV_TYPE, NULL);
    }
+    while (--len) {
+        test_len = bacnet_device_object_property_reference_decode(
+            apdu, len, &test_data);
+        if ((len > 0) && (test_data.arrayIndex == BACNET_ARRAY_ALL)) {
+            /* special case when optional portion is exactly missing */
+        } else if ((len > 0) &&
+            (test_data.deviceIdentifier.type == BACNET_NO_DEV_TYPE)) {
+            /* special case when optional portion is exactly missing */
+        } else {
+            zassert_true(test_len <= 0, "test_len=%d len=%d", test_len, len);
+        }
+    }
+    test_len = bacnet_device_object_property_reference_decode(
+        NULL, sizeof(apdu), &test_data);
+    zassert_true(test_len <= 0, "test_len=%d len=%d", test_len, len);
 }

 #if defined(CONFIG_ZTEST_NEW_API)
@@ -64,40 +87,40 @@ ZTEST(bacdevobjpropref_tests, testDevIdPropRef)
 static void testDevIdPropRef(void)
 #endif
 {
-    BACNET_DEVICE_OBJECT_PROPERTY_REFERENCE inData;
+    BACNET_DEVICE_OBJECT_PROPERTY_REFERENCE data;

    /* everything encoded */
-    inData.objectIdentifier.instance = 0x1234;
-    inData.objectIdentifier.type = 15;
-    inData.propertyIdentifier = 25;
-    inData.arrayIndex = 0x5678;
-    inData.deviceIdentifier.instance = 0x4343;
-    inData.deviceIdentifier.type = OBJECT_DEVICE;
-    testDevObjPropRef(&inData);
+    data.objectIdentifier.instance = 0x1234;
+    data.objectIdentifier.type = 15;
+    data.propertyIdentifier = 25;
+    data.arrayIndex = 0x5678;
+    data.deviceIdentifier.instance = 0x4343;
+    data.deviceIdentifier.type = OBJECT_DEVICE;
+    testDevObjPropRef(&data);
    /* optional array */
-    inData.objectIdentifier.instance = 0x1234;
-    inData.objectIdentifier.type = 15;
-    inData.propertyIdentifier = 25;
-    inData.arrayIndex = BACNET_ARRAY_ALL;
-    inData.deviceIdentifier.instance = 0x4343;
-    inData.deviceIdentifier.type = OBJECT_DEVICE;
-    testDevObjPropRef(&inData);
+    data.objectIdentifier.instance = 0x1234;
+    data.objectIdentifier.type = 15;
+    data.propertyIdentifier = 25;
+    data.arrayIndex = BACNET_ARRAY_ALL;
+    data.deviceIdentifier.instance = 0x4343;
+    data.deviceIdentifier.type = OBJECT_DEVICE;
+    testDevObjPropRef(&data);
    /* optional device ID */
-    inData.objectIdentifier.instance = 0x1234;
-    inData.objectIdentifier.type = 15;
-    inData.propertyIdentifier = 25;
-    inData.arrayIndex = 1;
-    inData.deviceIdentifier.instance = 0;
-    inData.deviceIdentifier.type = BACNET_NO_DEV_TYPE;
-    testDevObjPropRef(&inData);
+    data.objectIdentifier.instance = 0x1234;
+    data.objectIdentifier.type = 15;
+    data.propertyIdentifier = 25;
+    data.arrayIndex = 1;
+    data.deviceIdentifier.instance = 0;
+    data.deviceIdentifier.type = BACNET_NO_DEV_TYPE;
+    testDevObjPropRef(&data);
    /* optional array + optional device ID */
-    inData.objectIdentifier.instance = 0x1234;
-    inData.objectIdentifier.type = 15;
-    inData.propertyIdentifier = 25;
-    inData.arrayIndex = BACNET_ARRAY_ALL;
-    inData.deviceIdentifier.instance = 0;
-    inData.deviceIdentifier.type = BACNET_NO_DEV_TYPE;
-    testDevObjPropRef(&inData);
+    data.objectIdentifier.instance = 0x1234;
+    data.objectIdentifier.type = 15;
+    data.propertyIdentifier = 25;
+    data.arrayIndex = BACNET_ARRAY_ALL;
+    data.deviceIdentifier.instance = 0;
+    data.deviceIdentifier.type = BACNET_NO_DEV_TYPE;
+    testDevObjPropRef(&data);
 }

 #if defined(CONFIG_ZTEST_NEW_API)
@@ -106,21 +129,33 @@ ZTEST(bacdevobjpropref_tests, testDevIdRef)
 static void testDevIdRef(void)
 #endif
 {
-    BACNET_DEVICE_OBJECT_REFERENCE inData;
-    BACNET_DEVICE_OBJECT_REFERENCE outData;
-    uint8_t buffer[MAX_APDU];
-    int inLen;
-    int outLen;
+    BACNET_DEVICE_OBJECT_REFERENCE data;
+    BACNET_DEVICE_OBJECT_REFERENCE test_data;
+    uint8_t apdu[MAX_APDU];
+    int len;
+    int test_len;
+    int null_len;

-    inData.deviceIdentifier.instance = 0x4343;
-    inData.deviceIdentifier.type = OBJECT_DEVICE;
-    inLen = bacapp_encode_device_obj_ref(buffer, &inData);
-    outLen = bacapp_decode_device_obj_ref(buffer, &outData);
-    zassert_equal(outLen, inLen, NULL);
+    data.deviceIdentifier.instance = 0x4343;
+    data.deviceIdentifier.type = OBJECT_DEVICE;
+    null_len = bacapp_encode_device_obj_ref(NULL, &data);
+    len = bacapp_encode_device_obj_ref(apdu, &data);
+    zassert_equal(null_len, len, NULL);
+    test_len = bacnet_device_object_reference_decode(apdu, len, &test_data);
+    zassert_equal(test_len, len, NULL);
+    null_len = bacnet_device_object_reference_decode(apdu, len, NULL);
+    zassert_equal(test_len, null_len, NULL);
+    zassert_equal(data.deviceIdentifier.instance,
+        test_data.deviceIdentifier.instance, NULL);
    zassert_equal(
-        inData.deviceIdentifier.instance, outData.deviceIdentifier.instance, NULL);
-    zassert_equal(
-        inData.deviceIdentifier.type, outData.deviceIdentifier.type, NULL);
+        data.deviceIdentifier.type, test_data.deviceIdentifier.type, NULL);
+    while (--len) {
+        test_len = bacnet_device_object_reference_decode(apdu, len, &test_data);
+        zassert_true(test_len <= 0, NULL);
+    }
+    test_len =
+        bacnet_device_object_reference_decode(NULL, sizeof(apdu), &test_data);
+    zassert_true(test_len <= 0, NULL);
 }

 #if defined(CONFIG_ZTEST_NEW_API)
@@ -129,66 +164,71 @@ ZTEST(bacdevobjpropref_tests, testObjPropRef)
 static void testObjPropRef(void)
 #endif
 {
-    BACNET_OBJECT_PROPERTY_REFERENCE inData;
-    BACNET_OBJECT_PROPERTY_REFERENCE outData;
+    BACNET_OBJECT_PROPERTY_REFERENCE data;
+    BACNET_OBJECT_PROPERTY_REFERENCE test_data;
    uint8_t apdu[MAX_APDU];
    uint8_t tag_number = 1;
-    int inLen;
-    int outLen;
+    int len;
+    int test_len;
+    int null_len;

-    inData.object_identifier.instance = 12345;
-    inData.object_identifier.type = OBJECT_ANALOG_VALUE;
-    inData.property_identifier = PROP_PRESENT_VALUE;
-    inData.property_array_index = BACNET_ARRAY_ALL;
-    inLen = bacapp_encode_obj_property_ref(apdu, &inData);
-    outLen = bacapp_decode_obj_property_ref(apdu, inLen, &outData);
-    zassert_equal(outLen, inLen, NULL);
+    data.object_identifier.instance = 12345;
+    data.object_identifier.type = OBJECT_ANALOG_VALUE;
+    data.property_identifier = PROP_PRESENT_VALUE;
+    data.property_array_index = BACNET_ARRAY_ALL;
+    null_len = bacapp_encode_obj_property_ref(NULL, &data);
+    len = bacapp_encode_obj_property_ref(apdu, &data);
+    zassert_equal(null_len, len, NULL);
+    test_len = bacapp_decode_obj_property_ref(apdu, len, &test_data);
+    zassert_equal(test_len, len, NULL);
    zassert_equal(
-        inData.object_identifier.type,
-        outData.object_identifier.type, NULL);
+        data.object_identifier.type, test_data.object_identifier.type, NULL);
+    zassert_equal(data.object_identifier.instance,
+        test_data.object_identifier.instance, NULL);
    zassert_equal(
-        inData.object_identifier.instance,
-        outData.object_identifier.instance, NULL);
+        data.property_identifier, test_data.property_identifier, NULL);
    zassert_equal(
-        inData.property_identifier,
-        outData.property_identifier, NULL);
-    zassert_equal(
-        inData.property_array_index,
-        outData.property_array_index, NULL);
+        data.property_array_index, test_data.property_array_index, NULL);
+    while (--len) {
+        test_len = bacapp_decode_obj_property_ref(apdu, len, &test_data);
+        zassert_true(test_len <= 0, NULL);
+    }
    /* context */
-    inLen = bacapp_encode_context_obj_property_ref(apdu, tag_number, &inData);
-    outLen = bacapp_decode_context_obj_property_ref(apdu, inLen, tag_number,
-        &outData);
-    zassert_equal(outLen, inLen, NULL);
+    null_len = bacapp_encode_context_obj_property_ref(NULL, tag_number, &data);
+    len = bacapp_encode_context_obj_property_ref(apdu, tag_number, &data);
+    zassert_equal(null_len, len, NULL);
+    test_len = bacapp_decode_context_obj_property_ref(
+        apdu, len, tag_number, &test_data);
+    zassert_equal(test_len, len, "len=%d test_len=%d", len, test_len);
    zassert_equal(
-        inData.object_identifier.type,
-        outData.object_identifier.type, NULL);
+        data.object_identifier.type, test_data.object_identifier.type, NULL);
+    zassert_equal(data.object_identifier.instance,
+        test_data.object_identifier.instance, NULL);
    zassert_equal(
-        inData.object_identifier.instance,
-        outData.object_identifier.instance, NULL);
+        data.property_identifier, test_data.property_identifier, NULL);
    zassert_equal(
-        inData.property_identifier,
-        outData.property_identifier, NULL);
-    zassert_equal(
-        inData.property_array_index,
-        outData.property_array_index, NULL);
+        data.property_array_index, test_data.property_array_index, NULL);
+    while (--len) {
+        test_len = bacapp_decode_context_obj_property_ref(
+            apdu, len, tag_number, &test_data);
+        zassert_true(test_len <= 0, "test_len=%d len=%d", test_len, len);
+    }
+    null_len = bacapp_decode_context_obj_property_ref(
+        NULL, sizeof(apdu), tag_number, &test_data);
+    zassert_true(test_len <= 0, "test_len=%d len=%d", test_len, len);
 }

 /**
 * @}
 */

-
 #if defined(CONFIG_ZTEST_NEW_API)
 ZTEST_SUITE(bacdevobjpropref_tests, NULL, NULL, NULL, NULL, NULL);
 #else
 void test_main(void)
 {
-    ztest_test_suite(bacdevobjpropref_tests,
-     ztest_unit_test(testDevIdPropRef),
-     ztest_unit_test(testDevIdRef),
-     ztest_unit_test(testObjPropRef)
-     );
+    ztest_test_suite(bacdevobjpropref_tests, ztest_unit_test(testDevIdPropRef),
+        ztest_unit_test(testDevIdRef), ztest_unit_test(testObjPropRef));

    ztest_run_test_suite(bacdevobjpropref_tests);
 }