summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHolger Hans Peter Freyther <zecke@selfish.org>2010-10-11 08:21:00 +0200
committerHolger Hans Peter Freyther <zecke@selfish.org>2010-10-11 09:26:19 +0200
commitc88a44f493d594acdb5d9240855678c34ede2a88 (patch)
tree5744cba7b8548b4e95b2bb2835532be2340a11af
parent8ac0486c28be99fed40aa7118d66dbb7e70ccc78 (diff)
ussd: Add next test that show that we access the data out of bounds
This test is showing that the internal ASN1 code is not checking the size properly.
-rw-r--r--tests/ussd/ussd_test.c23
1 files changed, 23 insertions, 0 deletions
diff --git a/tests/ussd/ussd_test.c b/tests/ussd/ussd_test.c
index 4d125ffd..6680e63c 100644
--- a/tests/ussd/ussd_test.c
+++ b/tests/ussd/ussd_test.c
@@ -47,6 +47,23 @@ static int parse_ussd(const uint8_t *_data, int len)
return rc;
}
+static int parse_mangle_ussd(const uint8_t *_data, int len)
+{
+ uint8_t *data;
+ int rc;
+ struct ussd_request req;
+ struct gsm48_hdr *hdr;
+
+ data = malloc(len);
+ memcpy(data, _data, len);
+ hdr = (struct gsm48_hdr *) &data[0];
+ hdr->data[1] = len - sizeof(*hdr) - 2;
+ rc = gsm0480_decode_ussd_request(hdr, len, &req);
+ free(data);
+
+ return rc;
+}
+
int main(int argc, char **argv)
{
const int size = sizeof(ussd_request);
@@ -59,5 +76,11 @@ int main(int argc, char **argv)
printf("Result for %d is %d\n", rc, i);
}
+ printf("Mangling the container now\n");
+ for (i = size; i > sizeof(struct gsm48_hdr) + 2; --i) {
+ int rc = parse_mangle_ussd(&ussd_request[0], i);
+ printf("Result for %d is %d\n", rc, i);
+ }
+
return 0;
}