diff options
-rw-r--r-- | src/gsm/gsm0480.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/src/gsm/gsm0480.c b/src/gsm/gsm0480.c index 38082b32..636f2678 100644 --- a/src/gsm/gsm0480.c +++ b/src/gsm/gsm0480.c @@ -552,8 +552,12 @@ static int parse_process_uss_data(const uint8_t *uss_req_data, uint16_t length, if (num_chars > length - 2) return 0; - if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) - num_chars = GSM0480_USSD_OCTET_STRING_LEN; + /* Drop messages with incorrect length */ + if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) { + LOGP(DLGLOBAL, LOGL_ERROR, "Incorrect USS_DATA data length=%u, " + "dropping message", num_chars); + return 0; + } memcpy(req->ussd_text, uss_req_data + 2, num_chars); @@ -588,9 +592,12 @@ static int parse_process_uss_req(const uint8_t *uss_req_data, uint16_t length, /* Get the amount of bytes */ num_chars = uss_req_data[6]; - /* Prevent a mobile-originated buffer-overrun! */ - if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) - num_chars = GSM0480_USSD_OCTET_STRING_LEN; + /* Drop messages with incorrect length */ + if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) { + LOGP(DLGLOBAL, LOGL_ERROR, "Incorrect USS_REQ data length=%u, " + "dropping message", num_chars); + return 0; + } /* Copy the data 'as is' */ memcpy(req->ussd_data, uss_req_data + 7, num_chars); @@ -606,10 +613,6 @@ static int parse_process_uss_req(const uint8_t *uss_req_data, uint16_t length, /* Calculate the amount of 7-bit characters */ num_chars = (num_chars * 8) / 7; - /* Prevent a mobile-originated buffer-overrun! */ - if (num_chars > GSM0480_USSD_7BIT_STRING_LEN) - num_chars = GSM0480_USSD_7BIT_STRING_LEN; - gsm_7bit_decode_n_ussd((char *)req->ussd_text, sizeof(req->ussd_text), &(uss_req_data[7]), num_chars); |