fix some bugs in tunneling support detected by the usage of esp32 (heap corruption)

Author: Ing-Dom

README.md

@@ -30,6 +30,7 @@ See the examples for basic usage options
 - increase device object api version to 2 (invalidation of knx flash data stored by older versions)
 - add #pragma once to Arduino plattform to allow derived plattforms
 - change esp32 plattform to use KNX_NETIF
+- fix out-of-boundary write and dereferenced nullpointer access in tunneling support 
 
 ### V2.1.1 - 2024-09-16
 - fix minor bug in TP-Uart Driver (RX queue out of boundary)

src/knx/ip_data_link_layer.cpp

@@ -766,8 +766,8 @@ void IpDataLinkLayer::loopHandleConnectRequest(uint8_t* buffer, uint16_t length,
                 tun = nullptr;
                 break;
             }
-        
-        tun->IndividualAddress = tunPa;
+        if(tun)
+            tun->IndividualAddress = tunPa;
 
     }
 

src/knx/ip_data_link_layer.h

@@ -54,7 +54,7 @@ class IpDataLinkLayer : public DataLinkLayer
     DataLinkLayerCallbacks* _dllcb;
 #ifdef KNX_TUNNELING
     KnxIpTunnelConnection tunnels[KNX_TUNNELING];
-    uint8_t _lastChannelId = 1;
+    uint8_t _lastChannelId = 0;
 #endif
 };
 #endif

src/knx/knx_ip_connect_response.cpp

@@ -17,7 +17,8 @@ KnxIpConnectResponse::KnxIpConnectResponse(IpParameterObject& parameters, uint16
 
     _crd.length((type == 4) ? 4 : 2); //TunnelConnectionResponse length = 4; ConfigConnectionResponse length = 2;
     _crd.type(type);
-    _crd.address(address);
+    if(type == 4) // only fill address when it is a TunnelConnectionResponse
+        _crd.address(address);
 }
 
 KnxIpConnectResponse::KnxIpConnectResponse(uint8_t channel, uint8_t errorCode)