From 7d0bce3dfb74de01ccd1dc5535ee56e38ccad38a Mon Sep 17 00:00:00 2001
From: Holger Hans Peter Freyther <zecke@selfish.org>
Date: Mon, 11 Oct 2010 09:12:33 +0200
Subject: ussd: Add size checks to the parse_ss_invoke calls

Make sure that the mandatory and optional part fits.
---
 src/gsm0480.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/gsm0480.c b/src/gsm0480.c
index fa4a3d1c..73be8acd 100644
--- a/src/gsm0480.c
+++ b/src/gsm0480.c
@@ -331,6 +331,9 @@ static int parse_ss_invoke(const uint8_t *invoke_data, uint16_t length,
 	int rc = 1;
 	uint8_t offset;
 
+	if (length < 3)
+		return 0;
+
 	/* mandatory part */
 	if (invoke_data[0] != GSM0480_COMPIDTAG_INVOKE_ID) {
 		LOGP(0, LOGL_DEBUG, "Unexpected GSM 04.80 Component-ID tag "
@@ -340,12 +343,18 @@ static int parse_ss_invoke(const uint8_t *invoke_data, uint16_t length,
 	offset = invoke_data[1] + 2;
 	req->invoke_id = invoke_data[2];
 
+	/* look ahead once */
+	if (offset + 1 > length)
+		return 0;
+
 	/* optional part */
 	if (invoke_data[offset] == GSM0480_COMPIDTAG_LINKED_ID)
 		offset += invoke_data[offset+1] + 2;  /* skip over it */
 
 	/* mandatory part */
 	if (invoke_data[offset] == GSM0480_OPERATION_CODE) {
+		if (offset + 2 > length)
+			return 0;
 		uint8_t operation_code = invoke_data[offset+2];
 		switch (operation_code) {
 		case GSM0480_OP_CODE_PROCESS_USS_REQ:
-- 
cgit v1.2.3