From 9a515e9b1db1a246ef5fd49c91e26410eb437dd7 Mon Sep 17 00:00:00 2001
From: Sukchan Lee <acetcom@gmail.com>
Date: Fri, 23 Feb 2024 19:55:58 +0000
Subject: [PATCH] [GTP-U] Fixed a stack overflow bug (#3003)

---
 lib/gtp/util.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/gtp/util.c b/lib/gtp/util.c
index 3ec27d577..1e59239d2 100644
--- a/lib/gtp/util.c
+++ b/lib/gtp/util.c
@@ -65,7 +65,8 @@ int ogs_gtpu_parse_header(
          * then the value of the Next Extension Header Type shall be 0. */
 
         i = 0;
-        while (*(ext_h = (((uint8_t *)gtp_h) + len - 1))) {
+        while (*(ext_h = (((uint8_t *)gtp_h) + len - 1)) &&
+                i < OGS_GTP2_NUM_OF_EXTENSION_HEADER) {
         /*
          * The length of the Extension header shall be defined
          * in a variable length of 4 octets, i.e. m+1 = n*4 octets,
@@ -125,6 +126,11 @@ int ogs_gtpu_parse_header(
             i++;
         }
 
+        if (i >= OGS_GTP2_NUM_OF_EXTENSION_HEADER) {
+            ogs_error("The number of extension headers is limited to [%d]", i);
+            return -1;
+        }
+
     } else if (gtp_h->flags & (OGS_GTPU_FLAGS_S|OGS_GTPU_FLAGS_PN)) {
         /*
          * If and only if one or more of these three flags are set,