gb_proxy: Use TLVP_PRES_LEN instead of TLVP_PRESENT

With TLVP_PRESENT we only check if a tiven TLV/IE is present,
but don't verify that it's length matches our expectation.  This can
lead to out-of-bounds reads, so let's always use TLVP_PRES_LEN.

Change-Id: I1519cff0f6b2fe77f9a91eee17e0055d9df1bce6

1 files changed, 3 insertions, 3 deletions

diff --git a/src/gbproxy/gb_proxy_peer.c b/src/gbproxy/gb_proxy_peer.c
index ea5fe1ee1..79ea8e332 100644
--- a/src/gbproxy/gb_proxy_peer.c
+++ b/src/gbproxy/gb_proxy_peer.c
@@ -165,7 +165,7 @@ struct gbproxy_peer *gbproxy_peer_by_lac(struct gbproxy_config *cfg,
 struct gbproxy_peer *gbproxy_peer_by_bssgp_tlv(struct gbproxy_config *cfg,
 					       struct tlv_parsed *tp)
 {
-	if (TLVP_PRESENT(tp, BSSGP_IE_BVCI)) {
+	if (TLVP_PRES_LEN(tp, BSSGP_IE_BVCI, 2)) {
 		uint16_t bvci;
 
 		bvci = ntohs(tlvp_val16_unal(tp, BSSGP_IE_BVCI));
@@ -174,7 +174,7 @@ struct gbproxy_peer *gbproxy_peer_by_bssgp_tlv(struct gbproxy_config *cfg,
 	}
 
 	/* FIXME: this doesn't make sense, as RA can span multiple peers! */
-	if (TLVP_PRESENT(tp, BSSGP_IE_ROUTEING_AREA)) {
+	if (TLVP_PRES_LEN(tp, BSSGP_IE_ROUTEING_AREA, 6)) {
 		uint8_t *rai = (uint8_t *)TLVP_VAL(tp, BSSGP_IE_ROUTEING_AREA);
 		/* Only compare LAC part, since MCC/MNC are possibly patched.
 		 * Since the LAC of different BSS must be different when
@@ -183,7 +183,7 @@ struct gbproxy_peer *gbproxy_peer_by_bssgp_tlv(struct gbproxy_config *cfg,
 	}
 
 	/* FIXME: this doesn't make sense, as LA can span multiple peers! */
-	if (TLVP_PRESENT(tp, BSSGP_IE_LOCATION_AREA)) {
+	if (TLVP_PRES_LEN(tp, BSSGP_IE_LOCATION_AREA, 5)) {
 		uint8_t *lai = (uint8_t *)TLVP_VAL(tp, BSSGP_IE_LOCATION_AREA);
 		return gbproxy_peer_by_lac(cfg, lai);
 	}