gsm48_decode_bcd_number2: fix ENOSPC edge case

Return ENOSPC if the decoding buffer is one byte too small, instead of returning 0 and silently truncating the string. Add a new "truncated" variable to detect if the loop breaks in the final iteration. The string is not truncated if there is exactly one 0xf ('\0') higher nibble remaining. This is covered by the existing test case "long 15-digit (maximum) MSISDN, limited buffer". Related: OS#4049 Change-Id: Ie05900aca50cc7fe8a45d17844dbfcd905fd82fe
2019-06-06 16:11:32 +02:00 · 2019-06-06 16:11:32 +02:00 · 186f878266
parent 8c9befeaee
commit 186f878266
3 changed files with 28 additions and 3 deletions
--- a/src/gsm/gsm48_ie.c
+++ b/src/gsm/gsm48_ie.c
@ -82,6 +82,7 @@ int gsm48_decode_bcd_number2(char *output, size_t output_len,
 {
 	uint8_t in_len;
 	int i;
+	bool truncated = false;
 	if (output_len < 1)
 		return -ENOSPC;
 	*output = '\0';
@ -94,14 +95,23 @@ int gsm48_decode_bcd_number2(char *output, size_t output_len,

 	for (i = 1 + h_len; i <= in_len; i++) {
 		/* lower nibble */
-		if (output_len <= 1)
+		if (output_len <= 1) {
+			truncated = true;
 			break;
+		}
 		*output++ = bcd_num_digits[bcd_lv[i] & 0xf];
 		output_len--;

 		/* higher nibble */
-		if (output_len <= 1)
+		if (output_len <= 1) {
+			/* not truncated if there is exactly one 0xf ('\0') higher nibble remaining */
+			if (i == in_len && (bcd_lv[i] & 0xf0) == 0xf0) {
+				break;
+			}
+
+			truncated = true;
 			break;
+		}
 		*output++ = bcd_num_digits[bcd_lv[i] >> 4];
 		output_len--;
 	}
@ -109,7 +119,7 @@ int gsm48_decode_bcd_number2(char *output, size_t output_len,
 		*output++ = '\0';

 	/* Indicate whether the output was truncated */
-	if (i < in_len)
+	if (truncated)
 		return -ENOSPC;

 	return 0;
--- a/tests/gsm0408/gsm0408_test.c
+++ b/tests/gsm0408/gsm0408_test.c
@ -727,6 +727,17 @@ static const struct bcd_number_test {
 		.dec_ascii = "(none)",
 		.dec_rc = -EIO,
 	},
+	{
+		.test_name = "decoding buffer is one byte too small (OS#4049)",
+
+		/* Decoding test */
+		.dec_hex   = "022143", /* "1234" */
+		.dec_ascii = "123",    /* '4' was truncated */
+		.dec_rc    = -ENOSPC,
+
+		/* Buffer length limitations */
+		.dec_buf_lim = 4,
+	},
 };

 static void test_bcd_number_encode_decode()
--- a/tests/gsm0408/gsm0408_test.ok
+++ b/tests/gsm0408/gsm0408_test.ok
@ -186,6 +186,10 @@ BSD number encoding / decoding test
  - Decoding HEX (buffer limit=0) ''...
    - Expected: (rc=-5) '(none)'
    -   Actual: (rc=-5) '(none)'
+- Running test: decoding buffer is one byte too small (OS#4049)
+  - Decoding HEX (buffer limit=4) '022143'...
+    - Expected: (rc=-28) '123'
+    -   Actual: (rc=-28) '123'

 Constructed RA:
 077-121-666-5