diff options
author | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-10-11 09:12:33 +0200 |
---|---|---|
committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-10-11 09:26:19 +0200 |
commit | 7d0bce3dfb74de01ccd1dc5535ee56e38ccad38a (patch) | |
tree | 6dfeda9d771d779356a5494d993da68dfa4504f0 | |
parent | 4156ec6dd106d1223ea67bca45962e7dbe024526 (diff) |
ussd: Add size checks to the parse_ss_invoke calls
Make sure that the mandatory and optional part fits.
-rw-r--r-- | src/gsm0480.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/gsm0480.c b/src/gsm0480.c index fa4a3d1c..73be8acd 100644 --- a/src/gsm0480.c +++ b/src/gsm0480.c @@ -331,6 +331,9 @@ static int parse_ss_invoke(const uint8_t *invoke_data, uint16_t length, int rc = 1; uint8_t offset; + if (length < 3) + return 0; + /* mandatory part */ if (invoke_data[0] != GSM0480_COMPIDTAG_INVOKE_ID) { LOGP(0, LOGL_DEBUG, "Unexpected GSM 04.80 Component-ID tag " @@ -340,12 +343,18 @@ static int parse_ss_invoke(const uint8_t *invoke_data, uint16_t length, offset = invoke_data[1] + 2; req->invoke_id = invoke_data[2]; + /* look ahead once */ + if (offset + 1 > length) + return 0; + /* optional part */ if (invoke_data[offset] == GSM0480_COMPIDTAG_LINKED_ID) offset += invoke_data[offset+1] + 2; /* skip over it */ /* mandatory part */ if (invoke_data[offset] == GSM0480_OPERATION_CODE) { + if (offset + 2 > length) + return 0; uint8_t operation_code = invoke_data[offset+2]; switch (operation_code) { case GSM0480_OP_CODE_PROCESS_USS_REQ: |