diff options
author | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-10-11 09:07:50 +0200 |
---|---|---|
committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-10-11 09:26:19 +0200 |
commit | 4156ec6dd106d1223ea67bca45962e7dbe024526 (patch) | |
tree | a87a79588ac44c563d932942a611bca6c091de1f | |
parent | 49ad500ac64537eee2d933f1c255282b98042c5c (diff) |
ussd: Make sure the component fits.
Use a while() {} to check offset +2 <= length on the first
iteration of the loop. Once we have the component length
check that it is going to fit into the given length.
-rw-r--r-- | src/gsm0480.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/gsm0480.c b/src/gsm0480.c index 45a6fbea..fa4a3d1c 100644 --- a/src/gsm0480.c +++ b/src/gsm0480.c @@ -289,11 +289,17 @@ static int parse_facility_ie(const uint8_t *facility_ie, uint16_t length, int rc = 1; uint8_t offset = 0; - do { + while (offset + 2 <= length) { /* Component Type tag - table 3.7 */ uint8_t component_type = facility_ie[offset]; uint8_t component_length = facility_ie[offset+1]; + /* size check */ + if (offset + 2 + component_length > length) { + LOGP(0, LOGL_ERROR, "Component does not fit.\n"); + return 0; + } + switch (component_type) { case GSM0480_CTYPE_INVOKE: rc &= parse_ss_invoke(facility_ie+2, @@ -313,7 +319,7 @@ static int parse_facility_ie(const uint8_t *facility_ie, uint16_t length, break; } offset += (component_length+2); - } while (offset < length); + }; return rc; } |