From f3dfbce69e91cc322f820b082f5953fc65f4372d Mon Sep 17 00:00:00 2001 From: Ing-Dom Date: Mon, 25 Nov 2024 22:16:45 +0100 Subject: [PATCH] fix some bugs in tunneling support detected by the usage of esp32 (heap corruption) --- README.md | 1 + src/knx/ip_data_link_layer.cpp | 4 ++-- src/knx/ip_data_link_layer.h | 2 +- src/knx/knx_ip_connect_response.cpp | 3 ++- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index fad5d0fe..c0797fe9 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ See the examples for basic usage options - increase device object api version to 2 (invalidation of knx flash data stored by older versions) - add #pragma once to Arduino plattform to allow derived plattforms - change esp32 plattform to use KNX_NETIF +- fix out-of-boundary write and dereferenced nullpointer access in tunneling support ### V2.1.1 - 2024-09-16 - fix minor bug in TP-Uart Driver (RX queue out of boundary) diff --git a/src/knx/ip_data_link_layer.cpp b/src/knx/ip_data_link_layer.cpp index 3fe45b99..78307ffc 100644 --- a/src/knx/ip_data_link_layer.cpp +++ b/src/knx/ip_data_link_layer.cpp @@ -766,8 +766,8 @@ void IpDataLinkLayer::loopHandleConnectRequest(uint8_t* buffer, uint16_t length, tun = nullptr; break; } - - tun->IndividualAddress = tunPa; + if(tun) + tun->IndividualAddress = tunPa; } diff --git a/src/knx/ip_data_link_layer.h b/src/knx/ip_data_link_layer.h index 128f59f8..7d0ef302 100644 --- a/src/knx/ip_data_link_layer.h +++ b/src/knx/ip_data_link_layer.h @@ -54,7 +54,7 @@ class IpDataLinkLayer : public DataLinkLayer DataLinkLayerCallbacks* _dllcb; #ifdef KNX_TUNNELING KnxIpTunnelConnection tunnels[KNX_TUNNELING]; - uint8_t _lastChannelId = 1; + uint8_t _lastChannelId = 0; #endif }; #endif \ No newline at end of file diff --git a/src/knx/knx_ip_connect_response.cpp b/src/knx/knx_ip_connect_response.cpp index 11eb705b..c164a370 100644 --- a/src/knx/knx_ip_connect_response.cpp +++ b/src/knx/knx_ip_connect_response.cpp @@ -17,7 +17,8 @@ KnxIpConnectResponse::KnxIpConnectResponse(IpParameterObject& parameters, uint16 _crd.length((type == 4) ? 4 : 2); //TunnelConnectionResponse length = 4; ConfigConnectionResponse length = 2; _crd.type(type); - _crd.address(address); + if(type == 4) // only fill address when it is a TunnelConnectionResponse + _crd.address(address); } KnxIpConnectResponse::KnxIpConnectResponse(uint8_t channel, uint8_t errorCode)