Potential Billing Errors due to Unvalidated Meter Values in StopTransaction

[Tano-Coppoletta]

Checklist

• I checked other issues already, but found no answer/solution
• I checked the documentation and wiki, but found no answer/solution
• I am running the latest version and the issue still occurs
• I am sure that this issue is about SteVe (and not about the charging station software or something unrelated to SteVe)

Specifications

SteVe Version     : 3.6.0
Operating system  : Ubuntu 22.04.1
JDK               : openjdk version "11.0.20.1"
Database          : version 1.0.3

Issue Description

A potential issue in the Steve OCPP server's transaction handling has been identified, where a StopTransaction message with a meterStop value less than the meterStart value provided in the corresponding StartTransaction could lead to billing discrepancies.

Steps to Reproduce

1. Send a StartTransaction message with a meterStart value.
2. Later, send a StopTransaction message with a meterStop value that is less than the meterStart value.
3. Note the server's acceptance of the transaction and the resulting billing calculation.

Expected Behavior

The server should validate meterStop values to ensure they are equal to or greater than meterStart values to prevent billing errors.

Actual Behavior

The server accepts a StopTransaction message with a meterStop value less than the meterStart value, potentially leading to incorrect billing.

[Tano-Coppoletta]

Hello,

I'm reaching out for an update regarding this issue.

We are in the process of submitting Common Vulnerabilities and Exposures (CVEs) related to this matter. However, we can wait if you are in the process of fixing it.

Additionally, we intend to publish our findings in an academic paper.

Your prompt response and attention to this matter would be greatly appreciated as it will greatly inform our next steps.

Thank you and looking forward to your response.