From 501dffe6d0564147981acd4b7dd59702d9781a5b Mon Sep 17 00:00:00 2001
From: Michael Zillgith <michael.zillgith@mz-automation.de>
Date: Wed, 12 Jun 2024 12:06:46 +0100
Subject: [PATCH] - ACSE: fixed out-of-bounds read in parseAarqPdu function
 (LIB61850-441)(#512)

---
 src/mms/iso_acse/acse.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/mms/iso_acse/acse.c b/src/mms/iso_acse/acse.c
index 40ecafe0..a16b4d74 100644
--- a/src/mms/iso_acse/acse.c
+++ b/src/mms/iso_acse/acse.c
@@ -263,13 +263,17 @@ parseAarqPdu(AcseConnection* self, uint8_t* buffer, int bufPos, int maxBufPos)
     int authMechLen = 0;
     bool userInfoValid = false;
 
-    while (bufPos < maxBufPos) {
+    while (bufPos < maxBufPos)
+    {
         uint8_t tag = buffer[bufPos++];
         int len;
 
         bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, maxBufPos);
 
-        if (bufPos < 0) {
+        if (len == 0)
+            continue;
+
+        if ((bufPos < 0) || (bufPos + len > maxBufPos)) {
             if (DEBUG_ACSE)
                 printf("ACSE: Invalid PDU!\n");
             return ACSE_ASSOCIATE_FAILED;