diff options
author | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-03-30 06:51:23 +0200 |
---|---|---|
committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-06-15 20:24:09 +0800 |
commit | e9be5175ffdd594a09e0f36e611988f15fcd6b96 (patch) | |
tree | 57b26202f76b2828aeceb969500a37d9bc497c24 /openbsc/src/nat/bsc_nat_utils.c | |
parent | a5784b58f08b02a4c74699cdd1fc898a24d9f5fe (diff) |
nat: Some more input validation... on the paging command.
Diffstat (limited to 'openbsc/src/nat/bsc_nat_utils.c')
-rw-r--r-- | openbsc/src/nat/bsc_nat_utils.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/openbsc/src/nat/bsc_nat_utils.c b/openbsc/src/nat/bsc_nat_utils.c index 8d9ec2c0d..bbbc6e2aa 100644 --- a/openbsc/src/nat/bsc_nat_utils.c +++ b/openbsc/src/nat/bsc_nat_utils.c @@ -80,6 +80,11 @@ struct bsc_connection *bsc_nat_find_bsc(struct bsc_nat *nat, struct msgb *msg) struct tlv_parsed tp; int i = 0; + if (!msg->l3h || msgb_l3len(msg) < 3) { + LOGP(DNAT, LOGL_ERROR, "Paging message is too short.\n"); + return NULL; + } + tlv_parse(&tp, gsm0808_att_tlvdef(), msg->l3h + 3, msgb_l3len(msg) - 3, 0, 0); if (!TLVP_PRESENT(&tp, GSM0808_IE_CELL_IDENTIFIER_LIST)) { LOGP(DNAT, LOGL_ERROR, "No CellIdentifier List inside paging msg.\n"); |