From 4156ec6dd106d1223ea67bca45962e7dbe024526 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Mon, 11 Oct 2010 09:07:50 +0200 Subject: ussd: Make sure the component fits. Use a while() {} to check offset +2 <= length on the first iteration of the loop. Once we have the component length check that it is going to fit into the given length. --- src/gsm0480.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/gsm0480.c b/src/gsm0480.c index 45a6fbea..fa4a3d1c 100644 --- a/src/gsm0480.c +++ b/src/gsm0480.c @@ -289,11 +289,17 @@ static int parse_facility_ie(const uint8_t *facility_ie, uint16_t length, int rc = 1; uint8_t offset = 0; - do { + while (offset + 2 <= length) { /* Component Type tag - table 3.7 */ uint8_t component_type = facility_ie[offset]; uint8_t component_length = facility_ie[offset+1]; + /* size check */ + if (offset + 2 + component_length > length) { + LOGP(0, LOGL_ERROR, "Component does not fit.\n"); + return 0; + } + switch (component_type) { case GSM0480_CTYPE_INVOKE: rc &= parse_ss_invoke(facility_ie+2, @@ -313,7 +319,7 @@ static int parse_facility_ie(const uint8_t *facility_ie, uint16_t length, break; } offset += (component_length+2); - } while (offset < length); + }; return rc; } -- cgit v1.2.3