Corrected ReadPropertyMultiple for some objects. Added catch for case where malformed RPM-Ack is received.

bacnet-stack/demo/handler/h_rpm.c

@@ -235,6 +235,7 @@ int RPM_Encode_Property(
     int32_t array_index)
 {
     int len = 0;
+    size_t copy_len = 0;
     int apdu_len = 0;
     BACNET_ERROR_CLASS error_class = ERROR_CLASS_OBJECT;
     BACNET_ERROR_CODE error_code = ERROR_CODE_UNKNOWN_OBJECT;
@@ -242,8 +243,8 @@ int RPM_Encode_Property(
     len =
         rpm_ack_encode_apdu_object_property(&Temp_Buf[0], object_property,
         array_index);
-    len = memcopy(&apdu[0], &Temp_Buf[0], offset, len, max_apdu);
-    if (!len) {
+    copy_len = memcopy(&apdu[0], &Temp_Buf[0], offset, len, max_apdu);
+    if (copy_len == 0) {
         return 0;
     }
     apdu_len += len;
@@ -255,9 +256,9 @@ int RPM_Encode_Property(
         len =
             rpm_ack_encode_apdu_object_property_error(&Temp_Buf[0],
             error_class, error_code);
-        len =
+        copy_len =
             memcopy(&apdu[0], &Temp_Buf[0], offset + apdu_len, len, max_apdu);
-        if (!len) {
+        if (copy_len == 0) {
             return 0;
         }
     } else if ((offset + apdu_len + 1 + len + 1) < max_apdu) {

bacnet-stack/demo/handler/h_rpm_a.c

@@ -124,6 +124,10 @@ static int rpm_ack_decode_service_request(
                         apdu++;
                         break;
                     } else {
+                        /* nothing decoded and no closing tag, so malformed */
+                        if (len == 0) {
+                            return -1;
+                        }
                         old_value = value;
                         value =
                             calloc(1, sizeof(BACNET_APPLICATION_DATA_VALUE));
@@ -299,5 +303,26 @@ void handler_read_property_multiple_ack(
             rpm_data = rpm_data->next;
             free(old_rpm_data);
         }
+    } else {
+#if 1
+        fprintf(stderr, "RPM Ack Malformed! Freeing memory...\n");
+#endif
+        while (rpm_data) {
+            rpm_property = rpm_data->listOfProperties;
+            while (rpm_property) {
+                value = rpm_property->value;
+                while (value) {
+                    old_value = value;
+                    value = value->next;
+                    free(old_value);
+                }
+                old_rpm_property = rpm_property;
+                rpm_property = rpm_property->next;
+                free(old_rpm_property);
+            }
+            old_rpm_data = rpm_data;
+            rpm_data = rpm_data->next;
+            free(old_rpm_data);
+        }
     }
 }

bacnet-stack/ports/at91sam7s/h_rp.c

@@ -81,7 +81,7 @@ int Encode_Property_APDU(
         case OBJECT_ANALOG_VALUE:
             if (Analog_Value_Valid_Instance(object_instance)) {
                 apdu_len =
-                    Analog_Value_Encode_Property_APDU(&Temp_Buf[0],
+                    Analog_Value_Encode_Property_APDU(&apdu[0],
                     object_instance, property, array_index, error_class,
                     error_code);
             }
@@ -97,7 +97,7 @@ int Encode_Property_APDU(
         case OBJECT_BINARY_VALUE:
             if (Binary_Value_Valid_Instance(object_instance)) {
                 apdu_len =
-                    Binary_Value_Encode_Property_APDU(&Temp_Buf[0],
+                    Binary_Value_Encode_Property_APDU(&apdu[0],
                     object_instance, property, array_index, error_class,
                     error_code);
             }

bacnet-stack/ports/bdk-atxx4-mstp/h_rp.c

@@ -88,7 +88,7 @@ int Encode_Property_APDU(
         case OBJECT_BINARY_OUTPUT:
             if (Binary_Output_Valid_Instance(object_instance)) {
                 apdu_len =
-                    Binary_Output_Encode_Property_APDU(&Temp_Buf[0],
+                    Binary_Output_Encode_Property_APDU(&apdu[0],
                     object_instance, property, array_index, error_class,
                     error_code);
             }