ipaccess: Verify that the data fits in the package.
There is something wrong with the code, the length is
here uint8_t but when we generate a IDGET we put it
as 16bit data.
diff --git a/openbsc/src/input/ipaccess.c b/openbsc/src/input/ipaccess.c
index 74c850c..faa5458 100644
--- a/openbsc/src/input/ipaccess.c
+++ b/openbsc/src/input/ipaccess.c
@@ -103,16 +103,23 @@
memset(dec, 0, sizeof(*dec));
- while (cur < buf + len) {
+ while (len >= 2) {
+ len -= 2;
t_len = *cur++;
t_tag = *cur++;
+ if (t_len > len + 1) {
+ LOGP(DMI, LOGL_ERROR, "The tag does not fit: %d\n", t_len);
+ return -1;
+ }
+
DEBUGPC(DMI, "%s='%s' ", ipac_idtag_name(t_tag), cur);
dec->lv[t_tag].len = t_len;
dec->lv[t_tag].val = cur;
cur += t_len;
+ len -= t_len;
}
return 0;
}