From d9e81d0fcf2b1a1064d5ee0031f5edc8f2ebf2c3 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Thu, 14 Oct 2010 20:42:45 +0200 Subject: ipaccess: Verify that the data fits in the package. There is something wrong with the code, the length is here uint8_t but when we generate a IDGET we put it as 16bit data. --- openbsc/src/input/ipaccess.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/openbsc/src/input/ipaccess.c b/openbsc/src/input/ipaccess.c index 74c850c9f..faa545830 100644 --- a/openbsc/src/input/ipaccess.c +++ b/openbsc/src/input/ipaccess.c @@ -103,16 +103,23 @@ int ipaccess_idtag_parse(struct tlv_parsed *dec, unsigned char *buf, int len) memset(dec, 0, sizeof(*dec)); - while (cur < buf + len) { + while (len >= 2) { + len -= 2; t_len = *cur++; t_tag = *cur++; + if (t_len > len + 1) { + LOGP(DMI, LOGL_ERROR, "The tag does not fit: %d\n", t_len); + return -1; + } + DEBUGPC(DMI, "%s='%s' ", ipac_idtag_name(t_tag), cur); dec->lv[t_tag].len = t_len; dec->lv[t_tag].val = cur; cur += t_len; + len -= t_len; } return 0; } -- cgit v1.2.3