From 81cc8de2b75cac3b817f427f6af5d21c02a0be33 Mon Sep 17 00:00:00 2001
From: Xavier Arteaga <xavier@softwareradiosystems.com>
Date: Mon, 1 Mar 2021 11:36:49 +0100
Subject: [PATCH] Protect NAS unbounded message read

---
 lib/src/asn1/liblte_mme.cc | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/src/asn1/liblte_mme.cc b/lib/src/asn1/liblte_mme.cc
index 32debefae..85ecd7173 100644
--- a/lib/src/asn1/liblte_mme.cc
+++ b/lib/src/asn1/liblte_mme.cc
@@ -5911,6 +5911,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_emm_information_msg(LIBLTE_BYTE_MSG_STRUCT*
 {
   LIBLTE_ERROR_ENUM err     = LIBLTE_ERROR_INVALID_INPUTS;
   uint8*            msg_ptr = msg->msg;
+  uint8*            msg_end = msg->msg + msg->N_bytes;
   uint8             sec_hdr_type;
 
   if (msg != NULL && emm_info != NULL) {
@@ -5935,7 +5936,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_emm_information_msg(LIBLTE_BYTE_MSG_STRUCT*
     }
 
     // Short Name For Network
-    if (LIBLTE_MME_SHORT_NAME_FOR_NETWORK_IEI == *msg_ptr) {
+    if (msg_ptr < msg_end && LIBLTE_MME_SHORT_NAME_FOR_NETWORK_IEI == *msg_ptr) {
       msg_ptr++;
       liblte_mme_unpack_network_name_ie(&msg_ptr, &emm_info->short_net_name);
       emm_info->short_net_name_present = true;
@@ -5944,7 +5945,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_emm_information_msg(LIBLTE_BYTE_MSG_STRUCT*
     }
 
     // Local Time Zone
-    if (LIBLTE_MME_LOCAL_TIME_ZONE_IEI == *msg_ptr) {
+    if (msg_ptr < msg_end && LIBLTE_MME_LOCAL_TIME_ZONE_IEI == *msg_ptr) {
       msg_ptr++;
       liblte_mme_unpack_time_zone_ie(&msg_ptr, &emm_info->local_time_zone);
       emm_info->local_time_zone_present = true;
@@ -5953,7 +5954,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_emm_information_msg(LIBLTE_BYTE_MSG_STRUCT*
     }
 
     // Universal Time And Local Time Zone
-    if (LIBLTE_MME_UNIVERSAL_TIME_AND_LOCAL_TIME_ZONE_IEI == *msg_ptr) {
+    if (msg_ptr < msg_end && LIBLTE_MME_UNIVERSAL_TIME_AND_LOCAL_TIME_ZONE_IEI == *msg_ptr) {
       msg_ptr++;
       liblte_mme_unpack_time_zone_and_time_ie(&msg_ptr, &emm_info->utc_and_local_time_zone);
       emm_info->utc_and_local_time_zone_present = true;
@@ -5962,7 +5963,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_emm_information_msg(LIBLTE_BYTE_MSG_STRUCT*
     }
 
     // Network Daylight Saving Time
-    if (LIBLTE_MME_NETWORK_DAYLIGHT_SAVING_TIME_IEI == *msg_ptr) {
+    if (msg_ptr < msg_end && LIBLTE_MME_NETWORK_DAYLIGHT_SAVING_TIME_IEI == *msg_ptr) {
       msg_ptr++;
       liblte_mme_unpack_daylight_saving_time_ie(&msg_ptr, &emm_info->net_dst);
       emm_info->net_dst_present = true;