diff options
author | Harald Welte <laforge@gnumonks.org> | 2018-03-18 21:55:37 +0100 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2018-03-18 21:55:37 +0100 |
commit | 5060f563c6ea185842771ae311b0800d657fa14a (patch) | |
tree | da1072bde025548e39d7b15b9a17c4d23b6cb014 /src/libmsc | |
parent | 9fac985972f217447a373e5e94a6b8c1a868b2ac (diff) |
BSSAP: Return error code if COMPL L3 with no or too short L3 payload
Change-Id: Ie3bf1351ed11a9eb261737c2da0361e632e7b6e5
Diffstat (limited to 'src/libmsc')
-rw-r--r-- | src/libmsc/a_iface_bssap.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/libmsc/a_iface_bssap.c b/src/libmsc/a_iface_bssap.c index 7e9eae89b..f131eca74 100644 --- a/src/libmsc/a_iface_bssap.c +++ b/src/libmsc/a_iface_bssap.c @@ -337,6 +337,12 @@ static int bssmap_rx_l3_compl(struct osmo_sccp_user *scu, const struct a_conn_in msg->l3h = (uint8_t*)TLVP_VAL(tp, GSM0808_IE_LAYER_3_INFORMATION); msgb_l3trim(msg, TLVP_LEN(tp, GSM0808_IE_LAYER_3_INFORMATION)); + if (msgb_l3len(msg) < sizeof(struct gsm48_hdr)) { + LOGP(DBSSAP, LOGL_ERROR, "COMPL_L3 with too short L3 (%d) -- discarding\n", + msgb_l3len(msg)); + return -ENODATA; + } + /* Create new subscriber context */ conn = subscr_conn_allocate_a(a_conn_info, network, lac, scu, a_conn_info->conn_id); |