Re: [PATCH 2/4] gsm0480: Fix handling GSM0480_MTYPE_FACILITY, it has only LV and facility_ie

On 22 Apr 2016, at 14:41, Sergey Kostanbaev sergey.kostanbaev@gmail.com wrote:

• case GSM0480_MTYPE_FACILITY:

• rc &= parse_ss_facility(&hdr->data[0], len - sizeof(*hdr), req);
  

• break;
  

  default: LOGP(0, LOGL_DEBUG, "Unknown GSM 04.80 message-type field 0x%02x\n", hdr->msg_type);

@@ -284,6 +288,18 @@ static int parse_ss(const struct gsm48_hdr *hdr, uint16_t len, struct ss_request return rc; }

+static int parse_ss_facility(const uint8_t *ss_facility, uint16_t len,

• 	     struct ss_request *req)
  

+{

• uint8_t facility_length;
• facility_length = ss_facility[0];
• if (len - 1 < facility_length)

• return 0;
  

• return parse_facility_ie(ss_facility + 1, facility_length, req);

+}

static int parse_ss_info_elements(const uint8_t *ss_ie, uint16_t len, struct ss_request *req)

same as with the previous commit. There is no guarantee that original_len - sizeof(*hdr) > 1 (as that was removed). So len - 1 can be UINT16_MAX here?