diff options
author | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-10-11 08:21:00 +0200 |
---|---|---|
committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-10-11 09:26:19 +0200 |
commit | c88a44f493d594acdb5d9240855678c34ede2a88 (patch) | |
tree | 5744cba7b8548b4e95b2bb2835532be2340a11af | |
parent | 8ac0486c28be99fed40aa7118d66dbb7e70ccc78 (diff) |
ussd: Add next test that show that we access the data out of bounds
This test is showing that the internal ASN1 code is not checking
the size properly.
-rw-r--r-- | tests/ussd/ussd_test.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/tests/ussd/ussd_test.c b/tests/ussd/ussd_test.c index 4d125ffd..6680e63c 100644 --- a/tests/ussd/ussd_test.c +++ b/tests/ussd/ussd_test.c @@ -47,6 +47,23 @@ static int parse_ussd(const uint8_t *_data, int len) return rc; } +static int parse_mangle_ussd(const uint8_t *_data, int len) +{ + uint8_t *data; + int rc; + struct ussd_request req; + struct gsm48_hdr *hdr; + + data = malloc(len); + memcpy(data, _data, len); + hdr = (struct gsm48_hdr *) &data[0]; + hdr->data[1] = len - sizeof(*hdr) - 2; + rc = gsm0480_decode_ussd_request(hdr, len, &req); + free(data); + + return rc; +} + int main(int argc, char **argv) { const int size = sizeof(ussd_request); @@ -59,5 +76,11 @@ int main(int argc, char **argv) printf("Result for %d is %d\n", rc, i); } + printf("Mangling the container now\n"); + for (i = size; i > sizeof(struct gsm48_hdr) + 2; --i) { + int rc = parse_mangle_ussd(&ussd_request[0], i); + printf("Result for %d is %d\n", rc, i); + } + return 0; } |