From 16716d83c17f0540760c8dc12fc2be6853a9f25a Mon Sep 17 00:00:00 2001
From: Stefan Wahren <info@lategoodbye.de>
Date: Fri, 6 Apr 2012 18:57:55 +0200
Subject: [PATCH] Added bugfix to stop parsing in frames with more data than
 specified

---
 mbus/mbus-protocol.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/mbus/mbus-protocol.c b/mbus/mbus-protocol.c
index 9567c6c..e756ea2 100644
--- a/mbus/mbus-protocol.c
+++ b/mbus/mbus-protocol.c
@@ -2129,6 +2129,14 @@ mbus_parse(mbus_frame *frame, u_char *data, size_t data_size)
                     return MBUS_FRAME_FIXED_SIZE_LONG + len - data_size;                
                 }
                 
+                if (data_size > (size_t)(MBUS_FRAME_FIXED_SIZE_LONG + len))
+                {
+                    snprintf(error_str, sizeof(error_str), "Too much data in frame.");
+                
+                    // too much data... ?
+                    return -2;
+                }
+                
                 // we got the whole packet, continue parsing
                 frame->start2   = data[3];
                 frame->control  = data[4];