Added check for existance of difvif varlen length byte before reading it.

2022-09-04 16:20:16 +02:00 · 2022-09-04 16:20:16 +02:00 · 913c210279
commit 913c210279
--- a/15
+++ b/15
@ -1,15 +1,12 @@

 ATTENTION! The multical21 and flowiq drivers have been refactored to the new driver style.
+
+Added check for existance of difvif varlen length byte before reading it. Found by fuzzing.
+
 Since the multical21 driver was the first driver ever written, it had some idiosynchrasies.
-To preserve backwards compatibility of the json, the current_status field is left in, but
-marked as deprecated. The new status field will replace it.
-
-The "status":"OK" is a standard field from wmbusmeters that no error bits (both in the tpl status header
-or in error flags in the telegram) are set. The old current_status field was just the empty
-string when all was ok.
-
-If you use the --format=fields then current_status previously also included the time information.
-It no longer does.
+The json should be entirely backwards compatible but when format=fields is used, the
+status field no longer has the days, eg "DRY(22-31 days)" is now just "DRY"
+use the json or selectfields=time_dry to get how long it has been dry.

 Thecem added support for the Multical 303 heat meter. Thanks thescem!

--- a/2
+++ b/2
@ -357,7 +357,7 @@ run_fuzz_telegrams: extract_fuzz_telegram_seeds
 	${AFL_HOME}/afl-fuzz -i fuzz_testcases/telegrams -o fuzz_findings_telegrams/ build/wmbusmeters --listento=any stdin

 extract_fuzz_telegram_seeds:
-	@cat simulations/simulation_* | grep "^telegram=" | tr -d '|' | sed 's/^telegram=//' > $(BUILD)/seeds
+	@cat src/driver_*.cc | grep "^// telegram=" | tr -d '|' | sed 's|^// telegram=\|||' > $(BUILD)/seeds
 	@mkdir -p fuzz_testcases/telegrams
 	@rm -f fuzz_testcases/telegrams/seed_*
 	@SEED=1; while read -r line; do echo "$${line}" | xxd -r -p - > "fuzz_testcases/telegrams/seed_$${SEED}"; SEED=$$((SEED + 1)); done < $(BUILD)/seeds; echo "Extracted $${SEED} seeds from simulations."
--- a/src/dvparser.cc
+++ b/src/dvparser.cc
@ -394,12 +394,19 @@ bool parseDV(Telegram *t,
        DEBUG_PARSER("(dvparser debug) DifVif key is %s\n", key.c_str());

        int remaining = std::distance(data, data_end);
+        if (remaining < 1)
+        {
+            debug("(dvparser) warning: unexpected end of data\n");
+            break;
+        }
+
        if (variable_length) {
            DEBUG_PARSER("(dvparser debug) varlen %02x\n", *(data+0));
            datalen = *(data);
        }
        DEBUG_PARSER("(dvparser debug) remaining data %d len=%d\n", remaining, datalen);
-        if (remaining < datalen) {
+        if (remaining < datalen)
+        {
            debug("(dvparser) warning: unexpected end of data\n");
            datalen = remaining-1;
        }