ussd: Check the structure of the IE.

author Holger Hans Peter Freyther <zecke@selfish.org>

Mon, 11 Oct 2010 06:08:58 +0000 (08:08 +0200)

committer Holger Hans Peter Freyther <zecke@selfish.org>

Mon, 11 Oct 2010 07:26:19 +0000 (09:26 +0200)
author Holger Hans Peter Freyther <zecke@selfish.org>
Mon, 11 Oct 2010 06:08:58 +0000 (08:08 +0200)
committer Holger Hans Peter Freyther <zecke@selfish.org>
Mon, 11 Oct 2010 07:26:19 +0000 (09:26 +0200)
diff --git a/src/gsm0480.c b/src/gsm0480.c

index 4c1a12a..3625788 100644 (file)
--- a/src/gsm0480.c
+++ b/src/gsm0480.c
@@ -209,6 +209,11 @@ int gsm0480_decode_ussd_request(const struct gsm48_hdr *hdr, uint16_t len,
  {
         int rc = 0;
  
+       if (len < sizeof(*hdr) + 2) {
+               LOGP(0, LOGL_DEBUG, "USSD Request is too short.\n");
+               return 0;
+       }
+
         if ((hdr->proto_discr & 0x0f) == GSM48_PDISC_NC_SS) {
                 req->transaction_id = hdr->proto_discr & 0x70;
                 rc = parse_ussd(hdr, len, req);
@@ -256,6 +261,10 @@ static int parse_ussd_info_elements(const uint8_t *ussd_ie, uint16_t len,
         iei = ussd_ie[0];
         iei_length = ussd_ie[1];
  
+       /* If the data does not fit, report an error */
+       if (len - 2 < iei_length)
+               return 0;
+
         switch (iei) {
         case GSM48_IE_CAUSE:
                 break;
author	Holger Hans Peter Freyther <zecke@selfish.org>
	Mon, 11 Oct 2010 06:08:58 +0000 (08:08 +0200)
committer	Holger Hans Peter Freyther <zecke@selfish.org>
	Mon, 11 Oct 2010 07:26:19 +0000 (09:26 +0200)