From e0bc9b9f37be291a0aa0b63124ff60741d9206f4 Mon Sep 17 00:00:00 2001
From: Michael Zillgith <michael.zillgith@mz-automation.de>
Date: Fri, 9 Mar 2018 21:00:31 +0100
Subject: [PATCH] - client: fixed bug in parsing initiate response message

---
 src/mms/iso_mms/client/mms_client_initiate.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/mms/iso_mms/client/mms_client_initiate.c b/src/mms/iso_mms/client/mms_client_initiate.c
index 5cf93b43f..ed2c60b41 100644
--- a/src/mms/iso_mms/client/mms_client_initiate.c
+++ b/src/mms/iso_mms/client/mms_client_initiate.c
@@ -170,20 +170,30 @@ mmsClient_parseInitiateResponse(MmsConnection self)
     self->parameters.maxServOutstandingCalled = DEFAULT_MAX_SERV_OUTSTANDING_CALLED;
     self->parameters.maxServOutstandingCalling = DEFAULT_MAX_SERV_OUTSTANDING_CALLING;
 
-    int bufPos = 0;
+    int bufPos = 1; /* ignore tag - already checked */
+
     int maxBufPos = ByteBuffer_getSize(self->lastResponse);
     uint8_t* buffer = ByteBuffer_getBuffer(self->lastResponse);
 
+    int length;
+    bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
+
+    if (bufPos < 0)
+        return false;
+
+    if (bufPos + length > maxBufPos)
+        return false;
+
     while (bufPos < maxBufPos) {
         uint8_t tag = buffer[bufPos++];
-        int length;
 
         bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
 
-        if (bufPos < 0)  {
-            // TODO write initiate error PDU!
+        if (bufPos < 0)
+            return false;
+
+        if (bufPos + length > maxBufPos)
             return false;
-        }
 
         switch (tag) {
         case 0x80: /* local-detail-calling */