aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorHolger Hans Peter Freyther <zecke@selfish.org>2010-10-11 08:08:58 +0200
committerHolger Hans Peter Freyther <zecke@selfish.org>2010-10-11 09:26:19 +0200
commit8ac0486c28be99fed40aa7118d66dbb7e70ccc78 (patch)
tree1fa673b7ceda40a8824c3d961964b811f5c265f5 /src
parentdaa653fc2268ca99389ef2730abf5fe000eb7a37 (diff)
ussd: Check the structure of the IE.
This is fixing the current crashes. Next we will need to manipulate the content...
Diffstat (limited to 'src')
-rw-r--r--src/gsm0480.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/gsm0480.c b/src/gsm0480.c
index 4c1a12a7..36257881 100644
--- a/src/gsm0480.c
+++ b/src/gsm0480.c
@@ -209,6 +209,11 @@ int gsm0480_decode_ussd_request(const struct gsm48_hdr *hdr, uint16_t len,
{
int rc = 0;
+ if (len < sizeof(*hdr) + 2) {
+ LOGP(0, LOGL_DEBUG, "USSD Request is too short.\n");
+ return 0;
+ }
+
if ((hdr->proto_discr & 0x0f) == GSM48_PDISC_NC_SS) {
req->transaction_id = hdr->proto_discr & 0x70;
rc = parse_ussd(hdr, len, req);
@@ -256,6 +261,10 @@ static int parse_ussd_info_elements(const uint8_t *ussd_ie, uint16_t len,
iei = ussd_ie[0];
iei_length = ussd_ie[1];
+ /* If the data does not fit, report an error */
+ if (len - 2 < iei_length)
+ return 0;
+
switch (iei) {
case GSM48_IE_CAUSE:
break;