From f558ed4bb9c0f00997b8f97c2b251a574c1a64c4 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Tue, 2 Jun 2015 15:52:06 +0200 Subject: ipa: Properly parse LV stream of a ID_GET request For some reason the structure is closer to be a LV (length and value). The value is actually a tag but it is counted inside the length. Introduce an overload of the parse function to provide an offset for the length. This will be taken from the returned length. --- src/gsm/ipa.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/gsm/ipa.c b/src/gsm/ipa.c index 7cff1e81..dac20122 100644 --- a/src/gsm/ipa.c +++ b/src/gsm/ipa.c @@ -88,6 +88,11 @@ const char *ipa_ccm_idtag_name(uint8_t tag) } int ipa_ccm_idtag_parse(struct tlv_parsed *dec, unsigned char *buf, int len) +{ + return ipa_ccm_idtag_parse_off(dec, buf, len, 0); +} + +int ipa_ccm_idtag_parse_off(struct tlv_parsed *dec, unsigned char *buf, int len, const int len_offset) { uint8_t t_len; uint8_t t_tag; @@ -100,6 +105,11 @@ int ipa_ccm_idtag_parse(struct tlv_parsed *dec, unsigned char *buf, int len) t_len = *cur++; t_tag = *cur++; + if (t_len < len_offset) { + LOGP(DLMI, LOGL_ERROR, "minimal offset not included: %d\n", t_len); + return -EINVAL; + } + if (t_len > len + 1) { LOGP(DLMI, LOGL_ERROR, "The tag does not fit: %d\n", t_len); return -EINVAL; @@ -107,11 +117,11 @@ int ipa_ccm_idtag_parse(struct tlv_parsed *dec, unsigned char *buf, int len) DEBUGPC(DLMI, "%s='%s' ", ipa_ccm_idtag_name(t_tag), cur); - dec->lv[t_tag].len = t_len; + dec->lv[t_tag].len = t_len - len_offset; dec->lv[t_tag].val = cur; - cur += t_len; - len -= t_len; + cur += t_len - len_offset; + len -= t_len - len_offset; } return 0; } -- cgit v1.2.3