ussd: Make sure the component fits.

Use a while() {} to check offset +2 <= length on the first iteration of the loop. Once we have the component length check that it is going to fit into the given length.
author: Holger Hans Peter Freyther <zecke@selfish.org> 2010-10-11 09:07:50 +0200
committer: Holger Hans Peter Freyther <zecke@selfish.org> 2010-10-11 09:26:19 +0200
commit: 4156ec6dd106d1223ea67bca45962e7dbe024526 (patch)
tree: a87a79588ac44c563d932942a611bca6c091de1f /src
parent: 49ad500ac64537eee2d933f1c255282b98042c5c (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/src/gsm0480.c b/src/gsm0480.c
index 45a6fbea..fa4a3d1c 100644
--- a/src/gsm0480.c
+++ b/src/gsm0480.c
@@ -289,11 +289,17 @@ static int parse_facility_ie(const uint8_t *facility_ie, uint16_t length,
 	int rc = 1;
 	uint8_t offset = 0;
 
-	do {
+	while (offset + 2 <= length) {
 		/* Component Type tag - table 3.7 */
 		uint8_t component_type = facility_ie[offset];
 		uint8_t component_length = facility_ie[offset+1];
 
+		/* size check */
+		if (offset + 2 + component_length > length) {
+			LOGP(0, LOGL_ERROR, "Component does not fit.\n");
+			return 0;
+		}
+
 		switch (component_type) {
 		case GSM0480_CTYPE_INVOKE:
 			rc &= parse_ss_invoke(facility_ie+2,
@@ -313,7 +319,7 @@ static int parse_facility_ie(const uint8_t *facility_ie, uint16_t length,
 			break;
 		}
 		offset += (component_length+2);
-	} while (offset < length);
+	};
 
 	return rc;
 }
author	Holger Hans Peter Freyther <zecke@selfish.org>	2010-10-11 09:07:50 +0200
committer	Holger Hans Peter Freyther <zecke@selfish.org>	2010-10-11 09:26:19 +0200
commit	4156ec6dd106d1223ea67bca45962e7dbe024526 (patch)
tree	a87a79588ac44c563d932942a611bca6c091de1f /src
parent	49ad500ac64537eee2d933f1c255282b98042c5c (diff)