From 2335deb742fca9bc5c5456d2b80f1b48ebafec99 Mon Sep 17 00:00:00 2001
From: Stefan Wahren <info@lategoodbye.de>
Date: Sat, 22 Dec 2012 00:08:59 +0100
Subject: [PATCH 1/2] Fix segmentation fault - check if L Field is at least 3
 to avoid crash (MBDOC48.PDF, page 23)

---
 mbus/mbus-protocol.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/mbus/mbus-protocol.c b/mbus/mbus-protocol.c
index 0e9530d..44d56dd 100755
--- a/mbus/mbus-protocol.c
+++ b/mbus/mbus-protocol.c
@@ -2554,6 +2554,14 @@ mbus_parse(mbus_frame *frame, u_char *data, size_t data_size)
                 frame->length1  = data[1];
                 frame->length2  = data[2];
                 
+                if (frame->length1 < 3)
+                {
+                    snprintf(error_str, sizeof(error_str), "Invalid M-Bus frame length.");
+                
+                    // not a valid M-bus frame
+                    return -2;
+                }
+                
                 if (frame->length1 != frame->length2)
                 {
                     snprintf(error_str, sizeof(error_str), "Invalid M-Bus frame length.");

From 9c9c0201f922570d148ab8e91a45b806318d162f Mon Sep 17 00:00:00 2001
From: Stefan Wahren <info@lategoodbye.de>
Date: Sat, 29 Dec 2012 11:57:13 +0100
Subject: [PATCH 2/2] add exploit for invalid length

---
 test/test-frames/invalid_length.hex | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 test/test-frames/invalid_length.hex

diff --git a/test/test-frames/invalid_length.hex b/test/test-frames/invalid_length.hex
new file mode 100644
index 0000000..55cf2eb
--- /dev/null
+++ b/test/test-frames/invalid_length.hex
@@ -0,0 +1 @@
+68 00 00 68 08 16 
\ No newline at end of file