From bbe5de7c12b9bfd9fb10ee4230e9618efb049f05 Mon Sep 17 00:00:00 2001
From: Steve Karg <steve@kargs.net>
Date: Thu, 14 Dec 2023 11:24:47 -0600
Subject: [PATCH] Bugfix/bacapp application decode buffer over-read (#546)

* fix BACnet app decode function APDU over-read

* change BACnet app decode function APDU size datatype to 32-bit

---------

Co-authored-by: Steve Karg <skarg@users.sourceforge.net>
---
 src/bacnet/bacapp.c | 10 +++++-----
 src/bacnet/bacapp.h |  8 ++++----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/bacnet/bacapp.c b/src/bacnet/bacapp.c
index ab10fce2..90976f77 100644
--- a/src/bacnet/bacapp.c
+++ b/src/bacnet/bacapp.c
@@ -423,7 +423,7 @@ int bacapp_decode_data(uint8_t *apdu,
  * @return the number of apdu bytes consumed, or #BACNET_STATUS_ERROR
  */
 int bacapp_decode_application_data(
-    uint8_t *apdu, unsigned apdu_len_max, BACNET_APPLICATION_DATA_VALUE *value)
+    uint8_t *apdu, uint32_t apdu_size, BACNET_APPLICATION_DATA_VALUE *value)
 {
     int len = 0;
     int tag_len = 0;
@@ -431,17 +431,17 @@ int bacapp_decode_application_data(
     uint8_t tag_number = 0;
     uint32_t len_value_type = 0;
 
-    if (apdu && value && !IS_CONTEXT_SPECIFIC(*apdu)) {
+    if (apdu && value && apdu_size && !IS_CONTEXT_SPECIFIC(*apdu)) {
         value->context_specific = false;
         tag_len = bacnet_tag_number_and_value_decode(
-            &apdu[0], apdu_len_max, &tag_number, &len_value_type);
+            &apdu[0], apdu_size, &tag_number, &len_value_type);
         if (tag_len > 0) {
             len += tag_len;
             value->tag = tag_number;
-            if ((unsigned)len <= apdu_len_max) {
+            if ((unsigned)len <= apdu_size) {
                 decode_len =
                     bacapp_decode_data_len(NULL, tag_number, len_value_type);
-                if ((unsigned)decode_len <= (apdu_len_max - len)) {
+                if ((unsigned)decode_len <= (apdu_size - len)) {
                     decode_len = bacapp_decode_data(
                         &apdu[len], tag_number, len_value_type, value);
                     if (value->tag != MAX_BACNET_APPLICATION_TAG) {
diff --git a/src/bacnet/bacapp.h b/src/bacnet/bacapp.h
index baf16b1e..53e4c638 100644
--- a/src/bacnet/bacapp.h
+++ b/src/bacnet/bacapp.h
@@ -198,19 +198,19 @@ extern "C" {
     int bacapp_decode_data(
         uint8_t * apdu,
         uint8_t tag_data_type,
-        uint32_t len_value_type,
+        uint32_t apdu_size,
         BACNET_APPLICATION_DATA_VALUE * value);
 
     BACNET_STACK_EXPORT
     int bacapp_decode_application_data(
         uint8_t * apdu,
-        unsigned max_apdu_len,
+        uint32_t apdu_size,
         BACNET_APPLICATION_DATA_VALUE * value);
 
     BACNET_STACK_EXPORT
     bool bacapp_decode_application_data_safe(
-        uint8_t * new_apdu,
-        uint32_t new_apdu_len,
+        uint8_t * apdu,
+        uint32_t apdu_size,
         BACNET_APPLICATION_DATA_VALUE * value);
 
     BACNET_STACK_EXPORT