Add error checks for packets of bad sizes.

diff --git a/jeeps/gpsread.c b/jeeps/gpsread.c
index 2bf926b1dad8eebe112e08b1b59d48675b4c3985..56ea632face2b00ba3078b57f060d40b6427c8df 100644 (file)
--- a/jeeps/gpsread.c
+++ b/jeeps/gpsread.c
@@ -172,6 +172,12 @@ int32 GPS_Serial_Packet_Read(gpsdevh *fd, GPS_PPacket *packet)
                    return (*packet)->n;
                }
                
+           if (p - (*packet)->data >= MAX_GPS_PACKET_SIZE)
+           {
+               GPS_Error("GPS_Serial_Packet_Read: Bad payload size/no ETX found");
+               gps_errno = FRAMING_ERROR;
+               return 0;
+           }
            *p++ = u;
        }
     }

diff --git a/jeeps/gpsusbread.c b/jeeps/gpsusbread.c
index d061f312abbd4e62130f735f55c8ce540c82b64a..ed075a55303e28082c5572801e44a625d0b32917 100644 (file)
--- a/jeeps/gpsusbread.c
+++ b/jeeps/gpsusbread.c
@@ -71,6 +71,12 @@ do_over:
         */
        (*packet)->type = le_read16(&pkt.gusb_pkt.pkt_id);
        payload_size = le_read32(&pkt.gusb_pkt.datasz);
+       if (payload_size<0 || payload_size>MAX_GPS_PACKET_SIZE)
+       {
+               GPS_Error("GPS_Packet_Read_usb: Bad payload size %d", payload_size);
+               gps_errno = FRAMING_ERROR;
+               return 0;
+       }
        (*packet)->n = payload_size;
        memcpy((*packet)->data, &pkt.gusb_pkt.databuf, payload_size);