- client: fixed bug in parsing initiate response message

mz-automation · Mar 9, 2018 · e0bc9b9 · e0bc9b9
1 parent 4997104
commit e0bc9b9
Showing 1 changed file with 15 additions and 5 deletions.
diff --git a/src/mms/iso_mms/client/mms_client_initiate.c b/src/mms/iso_mms/client/mms_client_initiate.c
@@ -170,20 +170,30 @@ mmsClient_parseInitiateResponse(MmsConnection self)
     self->parameters.maxServOutstandingCalled = DEFAULT_MAX_SERV_OUTSTANDING_CALLED;
     self->parameters.maxServOutstandingCalling = DEFAULT_MAX_SERV_OUTSTANDING_CALLING;
 
-    int bufPos = 0;
+    int bufPos = 1; /* ignore tag - already checked */
+
     int maxBufPos = ByteBuffer_getSize(self->lastResponse);
     uint8_t* buffer = ByteBuffer_getBuffer(self->lastResponse);
 
+    int length;
+    bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
+
+    if (bufPos < 0)
+        return false;
+
+    if (bufPos + length > maxBufPos)
+        return false;
+
     while (bufPos < maxBufPos) {
         uint8_t tag = buffer[bufPos++];
-        int length;
 
         bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
 
-        if (bufPos < 0)  {
-            // TODO write initiate error PDU!
+        if (bufPos < 0)
+            return false;
+
+        if (bufPos + length > maxBufPos)
             return false;
-        }
 
         switch (tag) {
         case 0x80: /* local-detail-calling */