diff options
author | Mike Haben <michael.haben@btinternet.com> | 2009-10-26 20:36:34 +0100 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2009-10-26 20:39:26 +0100 |
commit | 2449b37dfe424248ea9fe2143efb78a3cd385d64 (patch) | |
tree | e9b939fed62cc7b978fbb5477aea2169001587e8 /openbsc/src/gsm_04_80.c | |
parent | dc329a6cdb204d89c15599ca606e239dde368e7f (diff) |
[USSD] various USSD improvements
- Improved handling of extension-number string (as per review)
- Guard against a buffer-overflow if mobile sends a too-long USSD
- declare some function-parameters const
- fix gsm_ts_name function to display the right BTS number (bts->nr rather than bts->bts_nr)
Diffstat (limited to 'openbsc/src/gsm_04_80.c')
-rw-r--r-- | openbsc/src/gsm_04_80.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/openbsc/src/gsm_04_80.c b/openbsc/src/gsm_04_80.c index 5d85c8221..7f5089de1 100644 --- a/openbsc/src/gsm_04_80.c +++ b/openbsc/src/gsm_04_80.c @@ -70,7 +70,7 @@ static inline unsigned char *msgb_push_TLV1(struct msgb *msgb, u_int8_t tag, /* Decode a mobile-originated USSD-request message */ -int gsm0480_decode_ussd_request(struct msgb *msg, struct ussd_request *req) +int gsm0480_decode_ussd_request(const struct msgb *msg, struct ussd_request *req) { int rc = 0; u_int8_t *parse_ptr = msgb_l3(msg); @@ -230,6 +230,9 @@ static int parse_process_uss_req(u_int8_t *uss_req_data, u_int8_t length, if ((dcs == 0x0F) && (uss_req_data[5] == ASN1_OCTET_STRING_TAG)) { num_chars = (uss_req_data[6] * 8) / 7; + /* Prevent a mobile-originated buffer-overrun! */ + if (num_chars > MAX_LEN_USSD_STRING) + num_chars = MAX_LEN_USSD_STRING; gsm_7bit_decode(req->text, &(uss_req_data[7]), num_chars); /* append null-terminator */ @@ -242,7 +245,7 @@ static int parse_process_uss_req(u_int8_t *uss_req_data, u_int8_t length, } /* Send response to a mobile-originated ProcessUnstructuredSS-Request */ -int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text, +int gsm0480_send_ussd_response(const struct msgb *in_msg, const char* response_text, const struct ussd_request *req) { struct msgb *msg = gsm48_msgb_alloc(); @@ -295,7 +298,7 @@ int gsm0480_send_ussd_response(struct msgb *in_msg, const char* response_text, return gsm48_sendmsg(msg, NULL); } -int gsm0480_send_ussd_reject(struct msgb *in_msg, +int gsm0480_send_ussd_reject(const struct msgb *in_msg, const struct ussd_request *req) { struct msgb *msg = gsm48_msgb_alloc(); |