From 708d347e14b5c5c699cf8f69d23644295faccb8b Mon Sep 17 00:00:00 2001
From: XANTRONIX Development <dev@xantronix.com>
Date: Fri, 17 Jul 2020 01:30:17 -0400
Subject: [PATCH] Fix bad logic parsing XID parameters

---
 src/frame.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/frame.c b/src/frame.c
index dc17ca5..089e900 100644
--- a/src/frame.c
+++ b/src/frame.c
@@ -278,8 +278,8 @@ ssize_t patty_ax25_frame_decode_xid(patty_ax25_frame_xid_callback callback,
                                     void *ctx) {
     size_t start = offset;
 
-    patty_ax25_frame_xid_element *elem = ((patty_ax25_frame_xid_element *)
-        (uint8_t *)data + offset);
+    patty_ax25_frame_xid_element *elem = (patty_ax25_frame_xid_element *)
+        ((uint8_t *)data + offset);
 
     if (elem->format != 0x82 || elem->group != 0x80) {
         errno = EIO;
@@ -287,7 +287,7 @@ ssize_t patty_ax25_frame_decode_xid(patty_ax25_frame_xid_callback callback,
         goto error;
     }
 
-    if (be16toh(elem->len) != len - offset) {
+    if (be16toh(elem->len) != len - sizeof(*elem) - offset) {
         errno = EIO;
 
         goto error;
@@ -295,7 +295,7 @@ ssize_t patty_ax25_frame_decode_xid(patty_ax25_frame_xid_callback callback,
 
     offset += sizeof(*elem);
 
-    while (offset < start + len) {
+    while (offset < len) {
         patty_ax25_frame_xid_param *param = (patty_ax25_frame_xid_param *)
             ((uint8_t *)data + offset);
 
@@ -309,7 +309,7 @@ ssize_t patty_ax25_frame_decode_xid(patty_ax25_frame_xid_callback callback,
         offset += sizeof(*param) + param->len;
     }
 
-    if (offset != start + len) {
+    if (offset != len) {
         errno = EIO;
 
         goto error;