Bugfix/bacnet array encoding overflows (#414)

* Add common BACnetARRAY encode function to fix Device object list buffer overflow. Refactor device, analog-output, access-door and binary-output objects to use common BACnetARRAY encoder. * Fix non-POSIX builds (win32). * Cleanup some ports/stm32 build warnings --------- Co-authored-by: Steve Karg <skarg@users.sourceforge.net>
2023-04-13 20:43:54 -05:00
parent 064c6f7f1c
commit e517df0d47
23 changed files with 872 additions and 834 deletions
@@ -243,6 +243,35 @@ BACNET_DOOR_VALUE Access_Door_Relinquish_Default(uint32_t object_instance)
    return status;
 }

+/**
+ * @brief Encode a BACnetARRAY property element
+ * @param object_instance [in] BACnet network port object instance number
+ * @param array_index [in] array index requested:
+ *    0 to N for individual array members
+ * @param apdu [out] Buffer in which the APDU contents are built, or NULL to
+ * return the length of buffer if it had been built
+ * @return The length of the apdu encoded or
+ *   BACNET_STATUS_ERROR for ERROR_CODE_INVALID_ARRAY_INDEX
+ */
+static int Access_Door_Priority_Array_Encode(
+    uint32_t object_instance, BACNET_ARRAY_INDEX array_index, uint8_t *apdu)
+{
+    int apdu_len = BACNET_STATUS_ERROR;
+    unsigned object_index = 0;
+
+    object_index = Access_Door_Instance_To_Index(object_instance);
+    if (object_index < MAX_ACCESS_DOORS) {
+        if (ad_descr[object_index].value_active[array_index]) {
+            apdu_len = encode_application_null(apdu);
+        } else {
+            apdu_len = encode_application_enumerated(
+                apdu, ad_descr[object_index].priority_array[array_index]);
+        }
+    }
+
+    return apdu_len;
+}
+
 /* note: the object name must be unique within this device */
 bool Access_Door_Object_Name(
    uint32_t object_instance, BACNET_CHARACTER_STRING *object_name)
@@ -284,20 +313,20 @@ void Access_Door_Out_Of_Service_Set(uint32_t instance, bool oos_flag)
 /* return apdu len, or BACNET_STATUS_ERROR on error */
 int Access_Door_Read_Property(BACNET_READ_PROPERTY_DATA *rpdata)
 {
-    int len = 0;
    int apdu_len = 0; /* return value */
    BACNET_BIT_STRING bit_string;
    BACNET_CHARACTER_STRING char_string;
    unsigned object_index = 0;
-    unsigned i = 0;
    bool state = false;
    uint8_t *apdu = NULL;
+    int apdu_size = 0;

    if ((rpdata == NULL) || (rpdata->application_data == NULL) ||
        (rpdata->application_data_len == 0)) {
        return 0;
    }
    apdu = rpdata->application_data;
+    apdu_size = rpdata->application_data_len;
    object_index = Access_Door_Instance_To_Index(rpdata->object_instance);
    switch (rpdata->object_property) {
        case PROP_OBJECT_IDENTIFIER:
@@ -339,46 +368,15 @@ int Access_Door_Read_Property(BACNET_READ_PROPERTY_DATA *rpdata)
            apdu_len = encode_application_boolean(&apdu[0], state);
            break;
        case PROP_PRIORITY_ARRAY:
-            /* Array element zero is the number of elements in the array */
-            if (rpdata->array_index == 0) {
-                apdu_len =
-                    encode_application_unsigned(&apdu[0], BACNET_MAX_PRIORITY);
-                /* if no index was specified, then try to encode the entire list
-                 */
-                /* into one packet. */
-            } else if (rpdata->array_index == BACNET_ARRAY_ALL) {
-                for (i = 0; i < BACNET_MAX_PRIORITY; i++) {
-                    /* FIXME: check if we have room before adding it to APDU */
-                    if (ad_descr[object_index].value_active[i]) {
-                        len = encode_application_null(&apdu[apdu_len]);
-                    } else {
-                        len = encode_application_enumerated(&apdu[apdu_len],
-                            ad_descr[object_index].priority_array[i]);
-                    }
-                    /* add it if we have room */
-                    if ((apdu_len + len) < MAX_APDU) {
-                        apdu_len += len;
-                    } else {
-                        rpdata->error_code =
-                            ERROR_CODE_ABORT_SEGMENTATION_NOT_SUPPORTED;
-                        apdu_len = BACNET_STATUS_ABORT;
-                        break;
-                    }
-                }
-            } else {
-                if (rpdata->array_index <= BACNET_MAX_PRIORITY) {
-                    if (ad_descr[object_index].value_active[i]) {
-                        apdu_len = encode_application_null(&apdu[0]);
-                    } else {
-                        apdu_len =
-                            encode_application_enumerated(&apdu[apdu_len],
-                                ad_descr[object_index].priority_array[i]);
-                    }
-                } else {
-                    rpdata->error_class = ERROR_CLASS_PROPERTY;
-                    rpdata->error_code = ERROR_CODE_INVALID_ARRAY_INDEX;
-                    apdu_len = BACNET_STATUS_ERROR;
-                }
+            apdu_len = bacnet_array_encode(rpdata->object_instance,
+                rpdata->array_index, Access_Door_Priority_Array_Encode,
+                BACNET_MAX_PRIORITY, apdu, apdu_size);
+            if (apdu_len == BACNET_STATUS_ABORT) {
+                rpdata->error_code =
+                    ERROR_CODE_ABORT_SEGMENTATION_NOT_SUPPORTED;
+            } else if (apdu_len == BACNET_STATUS_ERROR) {
+                rpdata->error_class = ERROR_CLASS_PROPERTY;
+                rpdata->error_code = ERROR_CODE_INVALID_ARRAY_INDEX;
            }
            break;
        case PROP_RELINQUISH_DEFAULT: