mirror of https://gerrit.osmocom.org/libosmocore
gsm0480: drop messages with incorrect data length
If either an INVOKE, either a RETURN_RESULT component has the data with incorrect length (see Annex A, 3GPP TS 04.80), the whole message is probably incorrect. Let's drop such messages instead of silent truncation. Change-Id: I2a169b0b84aa26ea2521edd55ff005c27ae6d808
This commit is contained in:
parent
a24ead0126
commit
2ecfb30d7f
|
@ -552,8 +552,12 @@ static int parse_process_uss_data(const uint8_t *uss_req_data, uint16_t length,
|
||||||
if (num_chars > length - 2)
|
if (num_chars > length - 2)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (num_chars > GSM0480_USSD_OCTET_STRING_LEN)
|
/* Drop messages with incorrect length */
|
||||||
num_chars = GSM0480_USSD_OCTET_STRING_LEN;
|
if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) {
|
||||||
|
LOGP(DLGLOBAL, LOGL_ERROR, "Incorrect USS_DATA data length=%u, "
|
||||||
|
"dropping message", num_chars);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
memcpy(req->ussd_text, uss_req_data + 2, num_chars);
|
memcpy(req->ussd_text, uss_req_data + 2, num_chars);
|
||||||
|
|
||||||
|
@ -588,9 +592,12 @@ static int parse_process_uss_req(const uint8_t *uss_req_data, uint16_t length,
|
||||||
/* Get the amount of bytes */
|
/* Get the amount of bytes */
|
||||||
num_chars = uss_req_data[6];
|
num_chars = uss_req_data[6];
|
||||||
|
|
||||||
/* Prevent a mobile-originated buffer-overrun! */
|
/* Drop messages with incorrect length */
|
||||||
if (num_chars > GSM0480_USSD_OCTET_STRING_LEN)
|
if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) {
|
||||||
num_chars = GSM0480_USSD_OCTET_STRING_LEN;
|
LOGP(DLGLOBAL, LOGL_ERROR, "Incorrect USS_REQ data length=%u, "
|
||||||
|
"dropping message", num_chars);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/* Copy the data 'as is' */
|
/* Copy the data 'as is' */
|
||||||
memcpy(req->ussd_data, uss_req_data + 7, num_chars);
|
memcpy(req->ussd_data, uss_req_data + 7, num_chars);
|
||||||
|
@ -606,10 +613,6 @@ static int parse_process_uss_req(const uint8_t *uss_req_data, uint16_t length,
|
||||||
/* Calculate the amount of 7-bit characters */
|
/* Calculate the amount of 7-bit characters */
|
||||||
num_chars = (num_chars * 8) / 7;
|
num_chars = (num_chars * 8) / 7;
|
||||||
|
|
||||||
/* Prevent a mobile-originated buffer-overrun! */
|
|
||||||
if (num_chars > GSM0480_USSD_7BIT_STRING_LEN)
|
|
||||||
num_chars = GSM0480_USSD_7BIT_STRING_LEN;
|
|
||||||
|
|
||||||
gsm_7bit_decode_n_ussd((char *)req->ussd_text,
|
gsm_7bit_decode_n_ussd((char *)req->ussd_text,
|
||||||
sizeof(req->ussd_text), &(uss_req_data[7]), num_chars);
|
sizeof(req->ussd_text), &(uss_req_data[7]), num_chars);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue