From 8daa834607cdd5ce706b23c0e44d5e4c8a6c5424 Mon Sep 17 00:00:00 2001
From: Andre Puschmann <andre@softwareradiosystems.com>
Date: Wed, 31 Jan 2018 15:05:17 +0100
Subject: [PATCH] fix ASN1 s1ap code by checking upper bound of buffer

---
 lib/src/asn1/liblte_s1ap.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/src/asn1/liblte_s1ap.cc b/lib/src/asn1/liblte_s1ap.cc
index 31c7391ab..530767c2f 100644
--- a/lib/src/asn1/liblte_s1ap.cc
+++ b/lib/src/asn1/liblte_s1ap.cc
@@ -2243,6 +2243,12 @@ LIBLTE_ERROR_ENUM liblte_s1ap_pack_imsi(
   if(ie  != NULL &&
      ptr != NULL)
   {
+    // max length of IE buffer is 32, so limit
+    if (ie->n_octets > 31) {
+      printf("Length in struct exceeds buffer (%d > 31).\n", ie->n_octets);
+      return LIBLTE_ERROR_ENCODE_FAIL;
+    }
+
     // Dynamic octet string - IMSI
     // Length
     if(ie->n_octets < 128) {