From bcb82841fbf64852c086abeaa58e90ef580fd820 Mon Sep 17 00:00:00 2001 From: Tomasz Kazimierz Motyl Date: Wed, 9 Oct 2024 18:31:13 +0100 Subject: [PATCH] Merge pull request #78 from se-apc/bugfix/stack_smashing_on_cov_subscriptions_encoding (#802) Resolving stack-smashing problem associated with variable length of subscriber's process ID 2..5 bytes Co-authored-by: Tomasz Kazimierz Motyl --- src/bacnet/basic/service/h_cov.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/bacnet/basic/service/h_cov.c b/src/bacnet/basic/service/h_cov.c index 77bbabef..d0ef1d01 100644 --- a/src/bacnet/basic/service/h_cov.c +++ b/src/bacnet/basic/service/h_cov.c @@ -276,10 +276,11 @@ static int cov_encode_subscription( * @return How many bytes were encoded in the buffer, or -2 if the response * would not fit within the buffer. */ -/* Maximume length for an encoded COV subscription - 27 bytes for BACNET IP6 - * 31 bytes for IPv4 (longest MAC) and lets round it up to the machine word +/* Maximume length for an encoded COV subscription - 31 bytes for BACNET IP6 + * 35 bytes for IPv4 (longest MAC) with the maximum length + * of PID (5 bytes) and lets round it up to the 64bit machine word * alignment */ -#define MAX_COV_SUB_SIZE (32) +#define MAX_COV_SUB_SIZE (40) int handler_cov_encode_subscriptions(uint8_t *apdu, int max_apdu) { if (apdu) {