From 8ac0486c28be99fed40aa7118d66dbb7e70ccc78 Mon Sep 17 00:00:00 2001
From: Holger Hans Peter Freyther <zecke@selfish.org>
Date: Mon, 11 Oct 2010 08:08:58 +0200
Subject: ussd: Check the structure of the IE.

This is fixing the current crashes. Next we will need to
manipulate the content...
---
 src/gsm0480.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/gsm0480.c b/src/gsm0480.c
index 4c1a12a7..36257881 100644
--- a/src/gsm0480.c
+++ b/src/gsm0480.c
@@ -209,6 +209,11 @@ int gsm0480_decode_ussd_request(const struct gsm48_hdr *hdr, uint16_t len,
 {
 	int rc = 0;
 
+	if (len < sizeof(*hdr) + 2) {
+		LOGP(0, LOGL_DEBUG, "USSD Request is too short.\n");
+		return 0;
+	}
+
 	if ((hdr->proto_discr & 0x0f) == GSM48_PDISC_NC_SS) {
 		req->transaction_id = hdr->proto_discr & 0x70;
 		rc = parse_ussd(hdr, len, req);
@@ -256,6 +261,10 @@ static int parse_ussd_info_elements(const uint8_t *ussd_ie, uint16_t len,
 	iei = ussd_ie[0];
 	iei_length = ussd_ie[1];
 
+	/* If the data does not fit, report an error */
+	if (len - 2 < iei_length)
+		return 0;
+
 	switch (iei) {
 	case GSM48_IE_CAUSE:
 		break;
-- 
cgit v1.2.3