ubx.c: Add some more error checking code

commit: 4db6eb8841ddf8f8ba84801aaa0fb386a5cc4c9d [log] [tgz]
author: Dieter Spaar <spaar@mirider.augusta.de> Wed Jul 18 22:15:36 2012 +0200
committer: Harald Welte <laforge@gnumonks.org> Wed Jul 18 22:22:47 2012 +0200
tree: f896f65e217ae05bc3e267a43a8e7921440982c9
parent: fa32567711e24d7fdb670ca9b1f821b55f6104af [diff]
diff --git a/ubx.c b/ubx.c
index 83dd1f0..273c02e 100644
--- a/ubx.c
+++ b/ubx.c

@@ -60,11 +60,26 @@
 	uint8_t cksum[2], *cksum_ptr;
 	ubx_msg_handler_t h;
 
+	if (len < 2) {
+		fprintf(stderr, "[!] Length too small (%d)\n", len);
+		return -1;
+	}
+
 	if ((hdr->sync[0] != UBX_SYNC0) || (hdr->sync[1] != UBX_SYNC1)) {
 		fprintf(stderr, "[!] Invalid sync bytes\n");
 		return -1;
 	}
 
+	if (len < sizeof(struct ubx_hdr)) {
+		fprintf(stderr, "[!] Length too small for UBX header (%d)\n", len);
+		return -1;
+	}
+
+	if (len < sizeof(struct ubx_hdr) + hdr->payload_len - 2) {
+		fprintf(stderr, "[!] Length too small for UBX header and payload (%d)\n", len);
+		return -1;
+	}
+
 	ubx_checksum(msg + 2, sizeof(struct ubx_hdr) + hdr->payload_len - 2, cksum);
 	cksum_ptr = msg + (sizeof(struct ubx_hdr) + hdr->payload_len);
 	if ((cksum_ptr[0] != cksum[0]) || (cksum_ptr[1] != cksum[1])) {
commit	4db6eb8841ddf8f8ba84801aaa0fb386a5cc4c9d	[log] [tgz]
author	Dieter Spaar <spaar@mirider.augusta.de>	Wed Jul 18 22:15:36 2012 +0200
committer	Harald Welte <laforge@gnumonks.org>	Wed Jul 18 22:22:47 2012 +0200
tree	f896f65e217ae05bc3e267a43a8e7921440982c9
parent	fa32567711e24d7fdb670ca9b1f821b55f6104af [diff]