MonitoredItem services: segmentation fault when providing non-DataChangeFilter in request
Description
This issue was detected on 1.5.0 demo server: A server crash with a segmentation fault message occurs when sending a request containing a non-DataChangeFilter MonitoringFilter instance.
Analysis
The function msg_subscription_monitored_item_bs__getall_create_monitored_item_req_params
in msg_subscription_monitored_item_bs.c
does not correctly check the extension object encoding prior to assignment:
*msg_subscription_monitored_item_bs__p_filter = (OpcUa_DataChangeFilter*) monitReq->RequestedParameters.Filter.Body.Object.Value;
This assignment was actually done when monitReq->RequestedParameters.Filter.Body.Object.Value
was NULL (no filter) or a OpcUa_DataChangeFilter instance. It was check prior to the assignment but some misunderstanding lead to accept unrecognized non-NULL filters due to this conditional branch if (filter->Length > 0)
which was expected to be non-zero when data was present. But regarding the decoder it was only the case when an object was actually decoded in SOPC_ExtensionObject_Read
:
case SOPC_ExtObjBodyEncoding_XMLElement:
status = SOPC_XmlElement_Read(&extObj->Body.Xml, buf, nestedStructLevel);
break;
case SOPC_ExtObjBodyEncoding_ByteString:
status = SOPC_ByteString_Read(&extObj->Body.Bstring, buf, nestedStructLevel);
break;
case SOPC_ExtObjBodyEncoding_Object:
status = SOPC_Int32_Read(&extObj->Length, buf, nestedStructLevel);
which lead to have 0 length when it was not possible to decode the extension object as an object (known type).
Fixes
-
msg_subscription_monitored_item_bs__getall_create_monitored_item_req_params
should not do the assignment (to remain NULL) when no filter is provided to avoid any confusion and extension object with unknown type object shall be considered as an error -
extObj->Length
should be removed from structure to avoid confusion since it has no actual purpose out of decoding