cellular-infrastructure
/
osmo-bsc-nat
mirror of https://gerrit.osmocom.org/osmo-bsc-nat
10
1
Fork 1
Code Issues Releases Wiki Activity

bssap_conn: fix missing length check 

Fixes: Coverity CID#273004
Change-Id: I1fc4c81e139bab3d7d977ef9467f62d8088884db
This commit is contained in:
Oliver Smith 2022-07-12 15:22:40 +02:00
parent 07180351c4
commit c732e25604
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/osmo-bsc-nat/bssap_conn.c
View File

@ -18,6 +18,7 @@
*/
#include "config.h"
#include <errno.h>
#include <osmocom/core/msgb.h>
#include <osmocom/gsm/gsm0808.h>
#include <osmocom/sigtran/sccp_helpers.h>
@ -25,6 +26,9 @@
#include <osmocom/bsc_nat/subscr_conn.h>
#include <osmocom/bsc_nat/subscr_conn_fsm.h>
#define IP_V4_ADDR_LEN 4
#define IP_V6_ADDR_LEN 16
int bssmap_replace_ie_aoip_transp_addr(struct msgb **msg, struct sockaddr_storage *ss)
{
struct msgb *msg_new;
@ -50,6 +54,22 @@ int bssmap_replace_ie_aoip_transp_addr(struct msgb **msg, struct sockaddr_storag
return rv;
}
if (tag == GSM0808_IE_AOIP_TRASP_ADDR) {
switch (ss->ss_family) {
case AF_INET:
len = IP_V4_ADDR_LEN;
break;
case AF_INET6:
len = IP_V6_ADDR_LEN;
}
}
if (len >= msgb_tailroom(msg_new)) {
LOGP(DMAIN, LOGL_ERROR, "Tailroom too small to encode tag %d into copy of bssmap msg\n", tag);
msgb_free(msg_new);
return -EINVAL;
}
if (tag == GSM0808_IE_AOIP_TRASP_ADDR)
rc = gsm0808_enc_aoip_trasp_addr(msg_new, ss);
else