From a3a548f56a0f56620e171ec5cf73dcf0abaf88d3 Mon Sep 17 00:00:00 2001
From: "Eric S. Raymond" <esr@thyrsus.com>
Date: Thu, 28 Jan 2010 00:55:12 +0000
Subject: Detect corrupted AIS messages of type 25.  All regression tests pass.

---
 driver_aivdm.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/driver_aivdm.c b/driver_aivdm.c
index 183fb84f..61c3210c 100644
--- a/driver_aivdm.c
+++ b/driver_aivdm.c
@@ -535,8 +535,18 @@ bool aivdm_decode(const char *buf, size_t buflen,
 	    gpsd_report(LOG_INF, "\n");
 	    break;
 	case 25:	/* Binary Message, Single Slot */
+	    /* this check and the fikollowing one reject line noise */
+	    if (ais_context->bitlen < 40 || ais_context->bitlen > 168) {
+		gpsd_report(LOG_ERROR, "AIVDM message type 25 size not between 40 to 168 bits (%zd).\n",
+			    ais_context->bitlen);
+		break;
+	    }
 	    ais->type25.addressed	= (bool)UBITS(38, 1);
 	    ais->type25.structured	= (bool)UBITS(39, 1);
+	    if (ais_context->bitlen < ( 40 + (16*ais->type25.structured) + (30*ais->type25.addressed) ) ) {
+		gpsd_report(LOG_ERROR, "AIVDM message type 25 too short for mode.\n");
+		break;
+	    }
 	    if (ais->type25.addressed)
 		ais->type25.dest_mmsi   = UBITS(40, 30);
 	    if (ais->type25.structured)
-- 
cgit v1.2.1