2 files changed, 14 insertions, 3 deletions

diff --git a/src/gsm/ipa.c b/src/gsm/ipa.c
index 3c7c300b..508cc13d 100644
--- a/src/gsm/ipa.c
+++ b/src/gsm/ipa.c
@@ -100,6 +100,11 @@ const char *ipa_ccm_idtag_name(uint8_t tag)
 
 int ipa_ccm_idtag_parse(struct tlv_parsed *dec, unsigned char *buf, int len)
 {
+	return ipa_ccm_idtag_parse_off(dec, buf, len, 0);
+}
+
+int ipa_ccm_idtag_parse_off(struct tlv_parsed *dec, unsigned char *buf, int len, const int len_offset)
+{
 	uint8_t t_len;
 	uint8_t t_tag;
 	uint8_t *cur = buf;
@@ -111,6 +116,11 @@ int ipa_ccm_idtag_parse(struct tlv_parsed *dec, unsigned char *buf, int len)
 		t_len = *cur++;
 		t_tag = *cur++;
 
+		if (t_len < len_offset) {
+			LOGP(DLMI, LOGL_ERROR, "minimal offset not included: %d < %d\n", t_len, len_offset);
+			return -EINVAL;
+		}
+
 		if (t_len > len + 1) {
 			LOGP(DLMI, LOGL_ERROR, "The tag does not fit: %d > %d\n", t_len, len + 1);
 			return -EINVAL;
@@ -118,11 +128,11 @@ int ipa_ccm_idtag_parse(struct tlv_parsed *dec, unsigned char *buf, int len)
 
 		DEBUGPC(DLMI, "%s='%s' ", ipa_ccm_idtag_name(t_tag), cur);
 
-		dec->lv[t_tag].len = t_len;
+		dec->lv[t_tag].len = t_len - len_offset;
 		dec->lv[t_tag].val = cur;
 
-		cur += t_len;
-		len -= t_len;
+		cur += t_len - len_offset;
+		len -= t_len - len_offset;
 	}
 	return 0;
 }
diff --git a/src/gsm/libosmogsm.map b/src/gsm/libosmogsm.map
index a1d342aa..2bb9d97c 100644
--- a/src/gsm/libosmogsm.map
+++ b/src/gsm/libosmogsm.map
@@ -461,6 +461,7 @@ ipa_ccm_send_pong;
 ipa_ccm_tlv_to_unitdata;
 ipa_ccm_idtag_name;
 ipa_ccm_idtag_parse;
+ipa_ccm_idtag_parse_off;
 ipa_ccm_id_get_parse;
 ipa_ccm_id_resp_parse;
 ipa_ccm_make_id_resp;