diff options
author | Harald Welte <laforge@osmocom.org> | 2021-04-29 18:38:48 +0200 |
---|---|---|
committer | Harald Welte <laforge@osmocom.org> | 2021-04-29 19:59:09 +0200 |
commit | b189b5f29cfe613ac096f84a8bd2df7f06516af0 (patch) | |
tree | 30902258ce08fcfeb56244bc448e7d1810964e7d | |
parent | 539272dd8e4a2db2ce9489478f0c099e6e1be8e0 (diff) |
Fix ipa_ccm_make_id_resp_from_req to work at all
The parser was so horribly broken, it could not ever have possibly
worked.
Change-Id: Ibed0ff7f8d36504ef783f2653c9982d4e25e874f
-rw-r--r-- | src/gsm/ipa.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/gsm/ipa.c b/src/gsm/ipa.c index fdc0bc6f..fc77d756 100644 --- a/src/gsm/ipa.c +++ b/src/gsm/ipa.c @@ -412,10 +412,14 @@ struct msgb *ipa_ccm_make_id_resp_from_req(const struct ipaccess_unit *dev, /* build a array of the IEIs */ while (len >= 2) { uint8_t t_len, t_tag; - len -= 2; + len -= 2; /* subtract the length of the two bytes read below */ t_len = *cur++; t_tag = *cur++; + /* as the 'tag' is included in the length of t_len, this cannot happen */ + if (t_len == 0) + break; + if (t_len > len + 1) { LOGP(DLINP, LOGL_ERROR, "IPA CCM tag 0x%02x does not fit\n", t_tag); break; @@ -423,13 +427,14 @@ struct msgb *ipa_ccm_make_id_resp_from_req(const struct ipaccess_unit *dev, ies[num_ies++] = t_tag; - cur += t_len; + /* we need to subtract one from t_len to account for the tag */ + cur += t_len - 1; /* prevent any unsigned integer underflow due to somebody sending us * messages with wrong length values */ if (len <= t_len) len = 0; else - len -= t_len; + len -= t_len - 1; } return ipa_ccm_make_id_resp(dev, ies, num_ies); } |