From c88a44f493d594acdb5d9240855678c34ede2a88 Mon Sep 17 00:00:00 2001
From: Holger Hans Peter Freyther <zecke@selfish.org>
Date: Mon, 11 Oct 2010 08:21:00 +0200
Subject: ussd: Add next test that show that we access the data out of bounds

This test is showing that the internal ASN1 code is not checking
the size properly.
---
 tests/ussd/ussd_test.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'tests/ussd')

diff --git a/tests/ussd/ussd_test.c b/tests/ussd/ussd_test.c
index 4d125ffd..6680e63c 100644
--- a/tests/ussd/ussd_test.c
+++ b/tests/ussd/ussd_test.c
@@ -47,6 +47,23 @@ static int parse_ussd(const uint8_t *_data, int len)
 	return rc;
 }
 
+static int parse_mangle_ussd(const uint8_t *_data, int len)
+{
+	uint8_t *data;
+	int rc;
+	struct ussd_request req;
+	struct gsm48_hdr *hdr;
+
+	data = malloc(len);
+	memcpy(data, _data, len);
+	hdr = (struct gsm48_hdr *) &data[0];
+	hdr->data[1] = len - sizeof(*hdr) - 2;
+	rc = gsm0480_decode_ussd_request(hdr, len, &req);
+	free(data);
+
+	return rc;
+}
+
 int main(int argc, char **argv)
 {
 	const int size = sizeof(ussd_request);
@@ -59,5 +76,11 @@ int main(int argc, char **argv)
 		printf("Result for %d is %d\n", rc, i);
 	}
 
+	printf("Mangling the container now\n");
+	for (i = size; i > sizeof(struct gsm48_hdr) + 2; --i) {
+		int rc = parse_mangle_ussd(&ussd_request[0], i);
+		printf("Result for %d is %d\n", rc, i);
+	}
+
 	return 0;
 }
-- 
cgit v1.2.3