From a12c552601d3b426d27ab378a140e5a900292e42 Mon Sep 17 00:00:00 2001 From: GauiStori Date: Wed, 17 Jul 2024 19:13:56 +0200 Subject: [PATCH] Added a check for apdu_len exceeding MAX_APDU in apdu_handler() for confirmed service and ignore the message if the APDU portion of the message is too long. (#696) --- src/bacnet/basic/service/h_apdu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/bacnet/basic/service/h_apdu.c b/src/bacnet/basic/service/h_apdu.c index f60793c5..8a844e7a 100644 --- a/src/bacnet/basic/service/h_apdu.c +++ b/src/bacnet/basic/service/h_apdu.c @@ -468,7 +468,9 @@ uint16_t apdu_decode_confirmed_service_request(uint8_t *apdu, /* APDU data */ return 0; } } - if (apdu_len == (len + 1)) { + if (apdu_len > MAX_APDU){ + return 0; + } else if (apdu_len == (len + 1)) { /* no request data as seen with Inneasoft BACnet Explorer */ *service_choice = apdu[len++]; *service_request = NULL;