nat: Some more input validation... on the paging command.

author: Holger Hans Peter Freyther <zecke@selfish.org> 2010-03-30 06:51:23 +0200
committer: Holger Hans Peter Freyther <zecke@selfish.org> 2010-03-30 06:51:23 +0200
commit: 0e09feccb0d7c15ef5a3700eefe3174f07368175 (patch)
tree: 393630b9e891dd8f04e4f249e6588b637af91a68 /openbsc/src/nat/bsc_nat_utils.c
parent: 40a1de699afd1b83bacf4a9810840895c660e8ee (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/openbsc/src/nat/bsc_nat_utils.c b/openbsc/src/nat/bsc_nat_utils.c
index 2428cbc2e..936026041 100644
--- a/openbsc/src/nat/bsc_nat_utils.c
+++ b/openbsc/src/nat/bsc_nat_utils.c
@@ -80,6 +80,11 @@ struct bsc_connection *bsc_nat_find_bsc(struct bsc_nat *nat, struct msgb *msg)
 	struct tlv_parsed tp;
 	int i = 0;
 
+	if (!msg->l3h || msgb_l3len(msg) < 3) {
+		LOGP(DNAT, LOGL_ERROR, "Paging message is too short.\n");
+		return NULL;
+	}
+
 	tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 3, msgb_l3len(msg) - 3, 0, 0);
 	if (!TLVP_PRESENT(&tp, GSM0808_IE_CELL_IDENTIFIER_LIST)) {
 		LOGP(DNAT, LOGL_ERROR, "No CellIdentifier List inside paging msg.\n");
author	Holger Hans Peter Freyther <zecke@selfish.org>	2010-03-30 06:51:23 +0200
committer	Holger Hans Peter Freyther <zecke@selfish.org>	2010-03-30 06:51:23 +0200
commit	0e09feccb0d7c15ef5a3700eefe3174f07368175 (patch)
tree	393630b9e891dd8f04e4f249e6588b637af91a68 /openbsc/src/nat/bsc_nat_utils.c
parent	40a1de699afd1b83bacf4a9810840895c660e8ee (diff)