From 7c11ff5330d2e7bf342cfc8cf695cfacd9d7130d Mon Sep 17 00:00:00 2001
From: iceman1001 <iceman@iuse.se>
Date: Tue, 24 Mar 2026 11:13:19 +0700
Subject: [PATCH] added extra length checks

---
 armsrc/seos.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/armsrc/seos.c b/armsrc/seos.c
index bb6d7a105..27b1932a4 100644
--- a/armsrc/seos.c
+++ b/armsrc/seos.c
@@ -367,9 +367,16 @@ void SimulateSeos(seos_emulate_req_t *msg) {
 
                             // Check all requested OIDs and see if we support any
                             uint8_t tlv_offset = 0;
-                            while (tlv_offset < received_tlv_len) {
+                            while (tlv_offset + 2 <= received_tlv_len) {
+
                                 uint8_t tag = received_tlv[tlv_offset++];
+                                
                                 uint8_t length = received_tlv[tlv_offset++];
+
+                                if (length > received_tlv_len - tlv_offset) {
+                                    break;
+                                }
+                                
                                 uint8_t *value = &received_tlv[tlv_offset];
                                 if (tag == 0x06) {
                                     if (length == msg->oid_len && memcmp(value, msg->oid, length) == 0) {
@@ -615,9 +622,15 @@ void SimulateSeos(seos_emulate_req_t *msg) {
 
                             // Check all requested OIDs and see if we support any
                             uint8_t tlv_offset = 0;
-                            while (tlv_offset < received_tlv_len) {
+                            while (tlv_offset + 2 <= received_tlv_len) {
+                                
                                 uint8_t tag = received_tlv[tlv_offset];
+                                
                                 uint8_t length = received_tlv[tlv_offset + 1];
+                                if (length > received_tlv_len - tlv_offset - 2) {
+                                    break;
+                                }
+
                                 uint8_t *value = &received_tlv[tlv_offset + 2];
 
                                 if (tag == 0x85) {
@@ -628,6 +641,7 @@ void SimulateSeos(seos_emulate_req_t *msg) {
                                     recvd_cmac_length = length;
                                     recvd_cmac_offset = tlv_offset;
                                 }
+                                
                                 tlv_offset += 2 + length;
                             }