laforge submitted this change.

View Change

remsim-client: Don't attempt to pass on illegal TPDU length

TPDUs with length < 5 or > 260 bytes are illegal in T=0.  It doesn't
make sense to send them to bankd, triggering bugs in either bankd,
pcsc-lite or the CCID firmware down the road.  Let's filter them right
where they might originate.

Change-Id: I175eb4622d0e69dbc6aca2cddfe091a78f225da5
---
M src/client/main_fsm.c
1 file changed, 5 insertions(+), 0 deletions(-)

diff --git a/src/client/main_fsm.c b/src/client/main_fsm.c
index 18798d3..5a35567 100644
--- a/src/client/main_fsm.c
+++ b/src/client/main_fsm.c
@@ -331,6 +331,11 @@
 	case MF_E_MDM_TPDU:
 		tpdu = data;
 		OSMO_ASSERT(tpdu);
+		if (tpdu->len < 5 || tpdu->len > 260) {
+			LOGPFSML(fi, LOGL_ERROR, "Modem submitted illegal TPDU length %zu (%s), dropping\n", tpdu->len,
+				 osmo_hexdump_nospc(tpdu->buf, tpdu->len));
+			break;
+		}
 		LOGPFSML(fi, LOGL_INFO, "Tx tpduModemToCard (%s)\n", osmo_hexdump_nospc(tpdu->buf, tpdu->len));
 		/* forward to bankd */
 		bank_slot2rspro(&bslot, &bc->bankd_slot);

To view, visit change 42230. To unsubscribe, or for help writing mail filters, visit settings.