ubx.c: Add some more error checking code

author: Dieter Spaar <spaar@mirider.augusta.de> 2012-07-18 22:15:36 +0200
committer: Harald Welte <laforge@gnumonks.org> 2012-07-18 22:22:47 +0200
commit: 4db6eb8841ddf8f8ba84801aaa0fb386a5cc4c9d (patch)
tree: f896f65e217ae05bc3e267a43a8e7921440982c9
parent: fa32567711e24d7fdb670ca9b1f821b55f6104af (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/ubx.c b/ubx.c
index 83dd1f0..273c02e 100644
--- a/ubx.c
+++ b/ubx.c
@@ -60,11 +60,26 @@ ubx_msg_dispatch(struct ubx_dispatch_entry *dt,
 	uint8_t cksum[2], *cksum_ptr;
 	ubx_msg_handler_t h;
 
+	if (len < 2) {
+		fprintf(stderr, "[!] Length too small (%d)\n", len);
+		return -1;
+	}
+
 	if ((hdr->sync[0] != UBX_SYNC0) || (hdr->sync[1] != UBX_SYNC1)) {
 		fprintf(stderr, "[!] Invalid sync bytes\n");
 		return -1;
 	}
 
+	if (len < sizeof(struct ubx_hdr)) {
+		fprintf(stderr, "[!] Length too small for UBX header (%d)\n", len);
+		return -1;
+	}
+
+	if (len < sizeof(struct ubx_hdr) + hdr->payload_len - 2) {
+		fprintf(stderr, "[!] Length too small for UBX header and payload (%d)\n", len);
+		return -1;
+	}
+
 	ubx_checksum(msg + 2, sizeof(struct ubx_hdr) + hdr->payload_len - 2, cksum);
 	cksum_ptr = msg + (sizeof(struct ubx_hdr) + hdr->payload_len);
 	if ((cksum_ptr[0] != cksum[0]) || (cksum_ptr[1] != cksum[1])) {
author	Dieter Spaar <spaar@mirider.augusta.de>	2012-07-18 22:15:36 +0200
committer	Harald Welte <laforge@gnumonks.org>	2012-07-18 22:22:47 +0200
commit	4db6eb8841ddf8f8ba84801aaa0fb386a5cc4c9d (patch)
tree	f896f65e217ae05bc3e267a43a8e7921440982c9
parent	fa32567711e24d7fdb670ca9b1f821b55f6104af (diff)