Mercurial > hg > freeDiameter
changeset 920:cb439d57d0c5
Fix parsing of incoming AVPs with 0-byte length at the end of the message
author | Sebastien Decugis <sdecugis@freediameter.net> |
---|---|
date | Tue, 12 Feb 2013 18:42:33 +0100 |
parents | b1776283d69e |
children | a0ab56aa089f |
files | libfdproto/messages.c |
diffstat | 1 files changed, 4 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/libfdproto/messages.c Tue Feb 12 18:19:19 2013 +0100 +++ b/libfdproto/messages.c Tue Feb 12 18:42:33 2013 +0100 @@ -1652,7 +1652,7 @@ while (offset < buflen) { struct avp * avp; - if (buflen - offset <= AVPHDRSZ_NOVEND) { + if (buflen - offset < AVPHDRSZ_NOVEND) { TRACE_DEBUG(INFO, "truncated buffer: remaining only %d bytes", buflen - offset); return EBADMSG; } @@ -1670,7 +1670,7 @@ offset += 8; if (avp->avp_public.avp_flags & AVP_FLAG_VENDOR) { - if (buflen - offset <= 4) { + if (buflen - offset < 4) { TRACE_DEBUG(INFO, "truncated buffer: remaining only %d bytes for vendor and data", buflen - offset); free(avp); return EBADMSG; @@ -1680,7 +1680,8 @@ } /* Check there is enough remaining data in the buffer */ - if (buflen - offset < avp->avp_public.avp_len - GETAVPHDRSZ(avp->avp_public.avp_flags)) { + if ( (avp->avp_public.avp_len > GETAVPHDRSZ(avp->avp_public.avp_flags)) + && (buflen - offset < avp->avp_public.avp_len - GETAVPHDRSZ(avp->avp_public.avp_flags))) { TRACE_DEBUG(INFO, "truncated buffer: remaining only %d bytes for data, and avp data size is %d", buflen - offset, avp->avp_public.avp_len - GETAVPHDRSZ(avp->avp_public.avp_flags));