From 08e02c9a5bfeb211a280a1070aecb50b3e33469b Mon Sep 17 00:00:00 2001
From: b1u3s <mamenglin@bupt.edu.cn>
Date: Wed, 2 Nov 2022 22:58:39 +0800
Subject: [PATCH] add length check on emergency number list

---
 lib/src/asn1/liblte_mme.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/src/asn1/liblte_mme.cc b/lib/src/asn1/liblte_mme.cc
index cfde8de37..48f3f9817 100644
--- a/lib/src/asn1/liblte_mme.cc
+++ b/lib/src/asn1/liblte_mme.cc
@@ -3019,9 +3019,13 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_emergency_number_list_ie(uint8**
     emerg_num_list->N_emerg_nums = 0;
     while (length < sent_length) {
       idx                                               = emerg_num_list->N_emerg_nums;
+      //add length check on emergency number list
+      if (idx >= LIBLTE_MME_EMERGENCY_NUMBER_LIST_MAX_SIZE) {
+        return (err);
+      }
       emerg_num_list->emerg_num[idx].N_emerg_num_digits = ((*ie_ptr)[length++] - 1) * 2;
       if (emerg_num_list->emerg_num[idx].N_emerg_num_digits > LIBLTE_MME_EMERGENCY_NUMBER_MAX_NUM_DIGITS) {
-        return err;
+        return (err);
       }
 
       emerg_num_list->emerg_num[idx].emerg_service_cat =