ussd: Add next test that show that we access the data out of bounds

This test is showing that the internal ASN1 code is not checking the size properly.
author: Holger Hans Peter Freyther <zecke@selfish.org> 2010-10-11 08:21:00 +0200
committer: Holger Hans Peter Freyther <zecke@selfish.org> 2010-10-11 09:26:19 +0200
commit: c88a44f493d594acdb5d9240855678c34ede2a88 (patch)
tree: 5744cba7b8548b4e95b2bb2835532be2340a11af /tests
parent: 8ac0486c28be99fed40aa7118d66dbb7e70ccc78 (diff)
1 files changed, 23 insertions, 0 deletions
diff --git a/tests/ussd/ussd_test.c b/tests/ussd/ussd_test.c
index 4d125ffd..6680e63c 100644
--- a/tests/ussd/ussd_test.c
+++ b/tests/ussd/ussd_test.c
@@ -47,6 +47,23 @@ static int parse_ussd(const uint8_t *_data, int len)
 	return rc;
 }
 
+static int parse_mangle_ussd(const uint8_t *_data, int len)
+{
+	uint8_t *data;
+	int rc;
+	struct ussd_request req;
+	struct gsm48_hdr *hdr;
+
+	data = malloc(len);
+	memcpy(data, _data, len);
+	hdr = (struct gsm48_hdr *) &data[0];
+	hdr->data[1] = len - sizeof(*hdr) - 2;
+	rc = gsm0480_decode_ussd_request(hdr, len, &req);
+	free(data);
+
+	return rc;
+}
+
 int main(int argc, char **argv)
 {
 	const int size = sizeof(ussd_request);
@@ -59,5 +76,11 @@ int main(int argc, char **argv)
 		printf("Result for %d is %d\n", rc, i);
 	}
 
+	printf("Mangling the container now\n");
+	for (i = size; i > sizeof(struct gsm48_hdr) + 2; --i) {
+		int rc = parse_mangle_ussd(&ussd_request[0], i);
+		printf("Result for %d is %d\n", rc, i);
+	}
+
 	return 0;
 }
author	Holger Hans Peter Freyther <zecke@selfish.org>	2010-10-11 08:21:00 +0200
committer	Holger Hans Peter Freyther <zecke@selfish.org>	2010-10-11 09:26:19 +0200
commit	c88a44f493d594acdb5d9240855678c34ede2a88 (patch)
tree	5744cba7b8548b4e95b2bb2835532be2340a11af /tests
parent	8ac0486c28be99fed40aa7118d66dbb7e70ccc78 (diff)