From 5060f563c6ea185842771ae311b0800d657fa14a Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Sun, 18 Mar 2018 21:55:37 +0100
Subject: BSSAP: Return error code if COMPL L3 with no or too short L3 payload

Change-Id: Ie3bf1351ed11a9eb261737c2da0361e632e7b6e5
---
 src/libmsc/a_iface_bssap.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/libmsc/a_iface_bssap.c b/src/libmsc/a_iface_bssap.c
index 7e9eae89b..f131eca74 100644
--- a/src/libmsc/a_iface_bssap.c
+++ b/src/libmsc/a_iface_bssap.c
@@ -337,6 +337,12 @@ static int bssmap_rx_l3_compl(struct osmo_sccp_user *scu, const struct a_conn_in
 	msg->l3h = (uint8_t*)TLVP_VAL(tp, GSM0808_IE_LAYER_3_INFORMATION);
 	msgb_l3trim(msg, TLVP_LEN(tp, GSM0808_IE_LAYER_3_INFORMATION));
 
+	if (msgb_l3len(msg) < sizeof(struct gsm48_hdr)) {
+		LOGP(DBSSAP, LOGL_ERROR, "COMPL_L3 with too short L3 (%d) -- discarding\n",
+		     msgb_l3len(msg));
+		return -ENODATA;
+	}
+
 	/* Create new subscriber context */
 	conn = subscr_conn_allocate_a(a_conn_info, network, lac, scu, a_conn_info->conn_id);
 
-- 
cgit v1.2.3