From 2cd1dda631713a188f285775b19667e252e3a681 Mon Sep 17 00:00:00 2001
From: Vadim Yanitskiy <axilirator@gmail.com>
Date: Sun, 26 May 2019 00:14:16 +0700
Subject: gsm48_decode_bcd_number2(): fix output truncation

Thanks to the new unit test for BCD number encoding / decoding, it was
discovered that gsm48_decode_bcd_number2() does not properly handle
encoded LV if the output buffer size is equal to the original MSISDN
length + 1 (\0-terminator): one digit is lost.

For example, decoding of 15-digit long MSISDN to a buffer of size
16 (15 digits + 1 for \0) would give us only 14 digits.

The problem was that 'output_len' was being decremented before
checking the remaining buffer length and writing a digit to it.
As a result, the maximum length was always one byte shorter.

Change-Id: I61d49387fedbf7b238e21540a5eff22f6861e27a
Fixes: OS#4025
---
 src/gsm/gsm48_ie.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/gsm/gsm48_ie.c b/src/gsm/gsm48_ie.c
index ca6489a9..48d0d379 100644
--- a/src/gsm/gsm48_ie.c
+++ b/src/gsm/gsm48_ie.c
@@ -88,16 +88,16 @@ int gsm48_decode_bcd_number2(char *output, size_t output_len,
 
 	for (i = 1 + h_len; i <= in_len; i++) {
 		/* lower nibble */
-		output_len--;
 		if (output_len <= 1)
 			break;
 		*output++ = bcd_num_digits[bcd_lv[i] & 0xf];
+		output_len--;
 
 		/* higher nibble */
-		output_len--;
 		if (output_len <= 1)
 			break;
 		*output++ = bcd_num_digits[bcd_lv[i] >> 4];
+		output_len--;
 	}
 	if (output_len >= 1)
 		*output++ = '\0';
-- 
cgit v1.2.3