summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/gsm/gsm0480.c21
1 files changed, 12 insertions, 9 deletions
diff --git a/src/gsm/gsm0480.c b/src/gsm/gsm0480.c
index 38082b32..636f2678 100644
--- a/src/gsm/gsm0480.c
+++ b/src/gsm/gsm0480.c
@@ -552,8 +552,12 @@ static int parse_process_uss_data(const uint8_t *uss_req_data, uint16_t length,
if (num_chars > length - 2)
return 0;
- if (num_chars > GSM0480_USSD_OCTET_STRING_LEN)
- num_chars = GSM0480_USSD_OCTET_STRING_LEN;
+ /* Drop messages with incorrect length */
+ if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) {
+ LOGP(DLGLOBAL, LOGL_ERROR, "Incorrect USS_DATA data length=%u, "
+ "dropping message", num_chars);
+ return 0;
+ }
memcpy(req->ussd_text, uss_req_data + 2, num_chars);
@@ -588,9 +592,12 @@ static int parse_process_uss_req(const uint8_t *uss_req_data, uint16_t length,
/* Get the amount of bytes */
num_chars = uss_req_data[6];
- /* Prevent a mobile-originated buffer-overrun! */
- if (num_chars > GSM0480_USSD_OCTET_STRING_LEN)
- num_chars = GSM0480_USSD_OCTET_STRING_LEN;
+ /* Drop messages with incorrect length */
+ if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) {
+ LOGP(DLGLOBAL, LOGL_ERROR, "Incorrect USS_REQ data length=%u, "
+ "dropping message", num_chars);
+ return 0;
+ }
/* Copy the data 'as is' */
memcpy(req->ussd_data, uss_req_data + 7, num_chars);
@@ -606,10 +613,6 @@ static int parse_process_uss_req(const uint8_t *uss_req_data, uint16_t length,
/* Calculate the amount of 7-bit characters */
num_chars = (num_chars * 8) / 7;
- /* Prevent a mobile-originated buffer-overrun! */
- if (num_chars > GSM0480_USSD_7BIT_STRING_LEN)
- num_chars = GSM0480_USSD_7BIT_STRING_LEN;
-
gsm_7bit_decode_n_ussd((char *)req->ussd_text,
sizeof(req->ussd_text), &(uss_req_data[7]), num_chars);