diff --git a/armsrc/seos.c b/armsrc/seos.c index bb6d7a105..27b1932a4 100644 --- a/armsrc/seos.c +++ b/armsrc/seos.c @@ -367,9 +367,16 @@ void SimulateSeos(seos_emulate_req_t *msg) { // Check all requested OIDs and see if we support any uint8_t tlv_offset = 0; - while (tlv_offset < received_tlv_len) { + while (tlv_offset + 2 <= received_tlv_len) { + uint8_t tag = received_tlv[tlv_offset++]; + uint8_t length = received_tlv[tlv_offset++]; + + if (length > received_tlv_len - tlv_offset) { + break; + } + uint8_t *value = &received_tlv[tlv_offset]; if (tag == 0x06) { if (length == msg->oid_len && memcmp(value, msg->oid, length) == 0) { @@ -615,9 +622,15 @@ void SimulateSeos(seos_emulate_req_t *msg) { // Check all requested OIDs and see if we support any uint8_t tlv_offset = 0; - while (tlv_offset < received_tlv_len) { + while (tlv_offset + 2 <= received_tlv_len) { + uint8_t tag = received_tlv[tlv_offset]; + uint8_t length = received_tlv[tlv_offset + 1]; + if (length > received_tlv_len - tlv_offset - 2) { + break; + } + uint8_t *value = &received_tlv[tlv_offset + 2]; if (tag == 0x85) { @@ -628,6 +641,7 @@ void SimulateSeos(seos_emulate_req_t *msg) { recvd_cmac_length = length; recvd_cmac_offset = tlv_offset; } + tlv_offset += 2 + length; }