From 43fc466ff9d67a67052295f5b28a3b1c54cf314f Mon Sep 17 00:00:00 2001
From: b1u3s <mamenglin@bupt.edu.cn>
Date: Sun, 20 Nov 2022 23:39:59 +0800
Subject: [PATCH] liblte: add length on plmn list

---
 lib/src/asn1/liblte_mme.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/src/asn1/liblte_mme.cc b/lib/src/asn1/liblte_mme.cc
index 48f3f9817..cfaab0f7d 100644
--- a/lib/src/asn1/liblte_mme.cc
+++ b/lib/src/asn1/liblte_mme.cc
@@ -612,6 +612,9 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_plmn_list_ie(uint8** ie_ptr, LIBLTE_MME_PLMN
 
   if (ie_ptr != NULL && plmn_list != NULL) {
     plmn_list->N_plmns = (*ie_ptr)[0] / 3;
+    if (plmn_list->N_plmns > LIBLTE_MME_PLMN_LIST_MAX_SIZE) {
+      return (err);
+    }
     for (i = 0; i < plmn_list->N_plmns; i++) {
       plmn_list->mcc[i] = ((*ie_ptr)[i * 3 + 0] & 0x0F) * 100;
       plmn_list->mcc[i] += (((*ie_ptr)[i * 3 + 0] >> 4) & 0x0F) * 10;
@@ -3213,7 +3216,7 @@ LIBLTE_ERROR_ENUM liblte_mme_unpack_generic_message_container_ie(uint8** ie_ptr,
     msg->N_bytes |= (*ie_ptr)[1];
 
     if (msg->N_bytes > LIBLTE_MAX_MSG_SIZE_BYTES) {
-      return err;
+      return (err);
     }
 
     for (i = 0; i < msg->N_bytes; i++) {