There is an integer overflow bug in pyosdp_make_struct_cmd_output due to incorrect type casting for the timer_count parameter.
Describe the bug
In file python/osdp_sys/data.c, the function is implemented as follows:
static int pyosdp_make_struct_cmd_output(struct osdp_cmd *p, PyObject *dict)
{
struct osdp_cmd_output *cmd = &p->output;
int output_no, control_code, timer_count;
if (pyosdp_dict_get_int(dict, "output_no", &output_no))
return -1;
if (pyosdp_dict_get_int(dict, "control_code", &control_code))
return -1;
if (pyosdp_dict_get_int(dict, "timer_count", &timer_count))
return -1;
cmd->output_no = (uint8_t)output_no;
cmd->control_code = (uint8_t)control_code;
cmd->timer_count = (uint8_t)timer_count;
return 0;
}
Reasoning
According to the OSDP protocol specification regarding Timer values:
“The timer value is specified in units of 100 milliseconds. The 16-bit value provided supports a
maximum pulse time of 6,553.5 seconds, which is 1 hour, 49 minutes, and 13.5 seconds. A timer
value of zero should be interpreted as “forever”.”
The protocol clearly states that the timer value is a 16-bit value. However, the current code casts timer_count to uint8_t.
Impact
Casting to uint8_t restricts the maximum timer value to 255 (25.5 seconds) instead of 65535 (6,553.5 seconds). If a user passes a value greater than 255 via Python to control a Peripheral Device (PD), an integer overflow occurs, causing the PD to receive an incorrect timer value.
Suggested Fix
Change the casting type of timer_count from uint8_t to uint16_t:
cmd->timer_count = (uint16_t)timer_count;
There is an integer overflow bug in
pyosdp_make_struct_cmd_outputdue to incorrect type casting for the timer_count parameter.Describe the bug
In file
python/osdp_sys/data.c, the function is implemented as follows:Reasoning
According to the OSDP protocol specification regarding Timer values:
“The timer value is specified in units of 100 milliseconds. The 16-bit value provided supports a
maximum pulse time of 6,553.5 seconds, which is 1 hour, 49 minutes, and 13.5 seconds. A timer
value of zero should be interpreted as “forever”.”
The protocol clearly states that the timer value is a 16-bit value. However, the current code casts timer_count to uint8_t.
Impact
Casting to uint8_t restricts the maximum timer value to 255 (25.5 seconds) instead of 65535 (6,553.5 seconds). If a user passes a value greater than 255 via Python to control a Peripheral Device (PD), an integer overflow occurs, causing the PD to receive an incorrect timer value.
Suggested Fix
Change the casting type of timer_count from uint8_t to uint16_t: