diff options
author | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | 2024-01-06 18:25:39 +0700 |
---|---|---|
committer | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | 2024-01-16 01:37:02 +0700 |
commit | bb0ac02ecff37cc76d91b14c73bd07ef198ef142 (patch) | |
tree | a96082e42bfa7a27865c2aa6ee60c92ea97f140b /src/host/layer23/src/mobile/gsm48_mm.c | |
parent | 83e36c0caf3082b194f5c3995ab299675c4893c1 (diff) |
mobile: always check return value of tlv_parse()
Change-Id: Id02fc0b1af6da939cb72f327c7d2ddca484ca063
Diffstat (limited to 'src/host/layer23/src/mobile/gsm48_mm.c')
-rw-r--r-- | src/host/layer23/src/mobile/gsm48_mm.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/src/host/layer23/src/mobile/gsm48_mm.c b/src/host/layer23/src/mobile/gsm48_mm.c index 378cd2d2..16a9b07b 100644 --- a/src/host/layer23/src/mobile/gsm48_mm.c +++ b/src/host/layer23/src/mobile/gsm48_mm.c @@ -2259,11 +2259,13 @@ static int gsm48_mm_rx_info(struct osmocom_ms *ms, struct msgb *msg) struct tlv_parsed tp; if (payload_len < 0) { - LOGP(DMM, LOGL_NOTICE, "Short read of MM INFORMATION message " - "error.\n"); + LOGP(DMM, LOGL_ERROR, "Short read of MM INFORMATION message\n"); + return -EINVAL; + } + if (tlv_parse(&tp, &gsm48_mm_att_tlvdef, gh->data, payload_len, 0, 0) < 0) { + LOGP(DMM, LOGL_ERROR, "%s(): tlv_parse() failed\n", __func__); return -EINVAL; } - tlv_parse(&tp, &gsm48_mm_att_tlvdef, gh->data, payload_len, 0, 0); /* long name */ if (TLVP_PRESENT(&tp, GSM48_IE_NAME_LONG)) { @@ -2611,15 +2613,17 @@ static int gsm48_mm_rx_loc_upd_acc(struct osmocom_ms *ms, struct msgb *msg) struct tlv_parsed tp; struct msgb *nmsg; - if (payload_len < sizeof(struct gsm48_loc_area_id)) { - short_read: - LOGP(DMM, LOGL_NOTICE, "Short read of LOCATION UPDATING ACCEPT " - "message error.\n"); + if (payload_len < 0) { +short_read: + LOGP(DMM, LOGL_ERROR, "Short read of LOCATION UPDATING ACCEPT message\n"); + return -EINVAL; + } + if (tlv_parse(&tp, &gsm48_mm_att_tlvdef, + gh->data + sizeof(*lai), + payload_len - sizeof(*lai), 0, 0) < 0) { + LOGP(DMM, LOGL_ERROR, "%s(): tlv_parse() failed\n", __func__); return -EINVAL; } - tlv_parse(&tp, &gsm48_mm_att_tlvdef, - gh->data + sizeof(struct gsm48_loc_area_id), - payload_len - sizeof(struct gsm48_loc_area_id), 0, 0); /* update has finished */ mm->lupd_pending = 0; |