diff options
| -rw-r--r-- | src/gsm0480.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/gsm0480.c b/src/gsm0480.c index 45a6fbea..fa4a3d1c 100644 --- a/src/gsm0480.c +++ b/src/gsm0480.c @@ -289,11 +289,17 @@ static int parse_facility_ie(const uint8_t *facility_ie, uint16_t length, int rc = 1; uint8_t offset = 0; - do { + while (offset + 2 <= length) { /* Component Type tag - table 3.7 */ uint8_t component_type = facility_ie[offset]; uint8_t component_length = facility_ie[offset+1]; + /* size check */ + if (offset + 2 + component_length > length) { + LOGP(0, LOGL_ERROR, "Component does not fit.\n"); + return 0; + } + switch (component_type) { case GSM0480_CTYPE_INVOKE: rc &= parse_ss_invoke(facility_ie+2, @@ -313,7 +319,7 @@ static int parse_facility_ie(const uint8_t *facility_ie, uint16_t length, break; } offset += (component_length+2); - } while (offset < length); + }; return rc; } |