diff options
| author | Vadim Yanitskiy <axilirator@gmail.com> | 2018-04-04 19:19:07 +0700 |
|---|---|---|
| committer | Vadim Yanitskiy <axilirator@gmail.com> | 2018-04-04 20:24:09 +0700 |
| commit | 2ecfb30d7f00c8307600450e184dfd26990e8bc6 (patch) | |
| tree | e5fb5d2c330ffdcf3432d20b5ebb53c444218065 /src | |
| parent | a24ead01260b472dcdf5c18190468aac9b9f43cb (diff) | |
gsm0480: drop messages with incorrect data length
If either an INVOKE, either a RETURN_RESULT component has the
data with incorrect length (see Annex A, 3GPP TS 04.80), the
whole message is probably incorrect.
Let's drop such messages instead of silent truncation.
Change-Id: I2a169b0b84aa26ea2521edd55ff005c27ae6d808
Diffstat (limited to 'src')
| -rw-r--r-- | src/gsm/gsm0480.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/src/gsm/gsm0480.c b/src/gsm/gsm0480.c index 38082b32..636f2678 100644 --- a/src/gsm/gsm0480.c +++ b/src/gsm/gsm0480.c @@ -552,8 +552,12 @@ static int parse_process_uss_data(const uint8_t *uss_req_data, uint16_t length, if (num_chars > length - 2) return 0; - if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) - num_chars = GSM0480_USSD_OCTET_STRING_LEN; + /* Drop messages with incorrect length */ + if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) { + LOGP(DLGLOBAL, LOGL_ERROR, "Incorrect USS_DATA data length=%u, " + "dropping message", num_chars); + return 0; + } memcpy(req->ussd_text, uss_req_data + 2, num_chars); @@ -588,9 +592,12 @@ static int parse_process_uss_req(const uint8_t *uss_req_data, uint16_t length, /* Get the amount of bytes */ num_chars = uss_req_data[6]; - /* Prevent a mobile-originated buffer-overrun! */ - if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) - num_chars = GSM0480_USSD_OCTET_STRING_LEN; + /* Drop messages with incorrect length */ + if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) { + LOGP(DLGLOBAL, LOGL_ERROR, "Incorrect USS_REQ data length=%u, " + "dropping message", num_chars); + return 0; + } /* Copy the data 'as is' */ memcpy(req->ussd_data, uss_req_data + 7, num_chars); @@ -606,10 +613,6 @@ static int parse_process_uss_req(const uint8_t *uss_req_data, uint16_t length, /* Calculate the amount of 7-bit characters */ num_chars = (num_chars * 8) / 7; - /* Prevent a mobile-originated buffer-overrun! */ - if (num_chars > GSM0480_USSD_7BIT_STRING_LEN) - num_chars = GSM0480_USSD_7BIT_STRING_LEN; - gsm_7bit_decode_n_ussd((char *)req->ussd_text, sizeof(req->ussd_text), &(uss_req_data[7]), num_chars); |