diff options
| author | Neels Hofmeyr <neels@hofmeyr.de> | 2019-04-30 02:35:47 +0200 |
|---|---|---|
| committer | Harald Welte <laforge@gnumonks.org> | 2019-05-05 16:23:41 +0000 |
| commit | b3868e14103090ae7d1abb9b84ec217623d8d07a (patch) | |
| tree | 9bc02d5239296af5b7e7209a50f14f9ae3e74b25 /src | |
| parent | 73c6682f5398eb3457d092b8b5f8ad20a3f5b493 (diff) | |
gsm48_decode_bcd_number2(): fix input len check
The input_len argument for gsm48_decode_bcd_number2() includes the BCD length
*and* the length byte itself, so add the missing +1.
Also clarify the API doc for the input_len argument.
Change-Id: I87599641325c04aae2be224ec350b1a145039528
Diffstat (limited to 'src')
| -rw-r--r-- | src/gsm/gsm48_ie.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/gsm/gsm48_ie.c b/src/gsm/gsm48_ie.c index 049f5dc6..0e5f2538 100644 --- a/src/gsm/gsm48_ie.c +++ b/src/gsm/gsm48_ie.c @@ -80,7 +80,7 @@ int gsm48_decode_bcd_number(char *output, int output_len, * \param[out] output Caller-provided output buffer. * \param[in] output_len sizeof(output). * \param[in] bcd_lv Length-Value part of to-be-decoded IE. - * \param[in] input_len Size of the buffer to read the IE from. + * \param[in] input_len Size of the bcd_lv buffer for bounds checking. * \param[in] h_len Length of an optional header between L and V parts. * \return 0 in case of success, negative on error. Errors checked: no or too little input data, no or too little * output buffer size, IE length exceeds input data size, decoded number exceeds size of the output buffer. The output @@ -97,7 +97,8 @@ int gsm48_decode_bcd_number2(char *output, size_t output_len, if (input_len < 1) return -EIO; len = bcd_lv[0]; - if (input_len < len) + /* len + 1: the BCD length plus the length byte itself must fit in the input buffer. */ + if (input_len < len + 1) return -EIO; return gsm48_decode_bcd_number(output, output_len, bcd_lv, h_len); } |