From 0368a9e8159367430188b2b4c2351576f2b8fe61 Mon Sep 17 00:00:00 2001
From: Pau Espin Pedrol <pespin@sysmocom.de>
Date: Mon, 5 Feb 2024 14:43:11 +0100
Subject: [PATCH] abis_nm_sw_act_req_ack: attr_len should be unsigned

Change-Id: I5c0ba76b5cc2464c7e362a850325c94770f38397
---
 include/osmocom/bsc/abis_nm.h | 2 +-
 src/osmo-bsc/abis_nm.c        | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/include/osmocom/bsc/abis_nm.h b/include/osmocom/bsc/abis_nm.h
index 59a6dc9b0..f55c29c9d 100644
--- a/include/osmocom/bsc/abis_nm.h
+++ b/include/osmocom/bsc/abis_nm.h
@@ -87,7 +87,7 @@ int abis_nm_set_radio_attr(struct gsm_bts_trx *trx, uint8_t *attr, int attr_len)
 int abis_nm_set_channel_attr(struct gsm_bts_trx_ts *ts, uint8_t chan_comb);
 int abis_nm_sw_act_req_ack(struct gsm_bts *bts, uint8_t obj_class, uint8_t i1,
 			   uint8_t i2, uint8_t i3, int nack,
-			   const uint8_t *attr, int attr_len);
+			   const uint8_t *attr, unsigned int attr_len);
 int abis_nm_raw_msg(struct gsm_bts *bts, int len, uint8_t *msg);
 int abis_nm_event_reports(struct gsm_bts *bts, int on);
 int abis_nm_reset_resource(struct gsm_bts *bts);
diff --git a/src/osmo-bsc/abis_nm.c b/src/osmo-bsc/abis_nm.c
index e8327ddbc..7a9789bc9 100644
--- a/src/osmo-bsc/abis_nm.c
+++ b/src/osmo-bsc/abis_nm.c
@@ -756,11 +756,16 @@ static int abis_nm_rx_sw_act_req(struct msgb *mb)
 
 	DEBUGPFOH(DNM, foh, "Software Activate Request, ACKing and Activating\n");
 
+	if (oh->length < sizeof(*foh)) {
+		LOGPFOH(DNM, LOGL_ERROR, foh, "Software Activate Request with length too small: %u\n", oh->length);
+		return -EINVAL;
+	}
+
 	ret = abis_nm_sw_act_req_ack(sign_link->trx->bts, foh->obj_class,
 				      foh->obj_inst.bts_nr,
 				      foh->obj_inst.trx_nr,
 				      foh->obj_inst.ts_nr, 0,
-				      foh->data, oh->length-sizeof(*foh));
+				      foh->data, oh->length - sizeof(*foh));
 	if (ret != 0) {
 		LOGPFOH(DNM, LOGL_ERROR, foh, "Sending SW ActReq ACK failed: %d\n", ret);
 		return ret;
@@ -2165,7 +2170,7 @@ int abis_nm_set_channel_attr(struct gsm_bts_trx_ts *ts, uint8_t chan_comb)
 
 int abis_nm_sw_act_req_ack(struct gsm_bts *bts, uint8_t obj_class, uint8_t i1,
 			   uint8_t i2, uint8_t i3, int nack,
-			   const uint8_t *attr, int attr_len)
+			   const uint8_t *attr, unsigned int attr_len)
 {
 	struct abis_om_hdr *oh;
 	struct msgb *msg = nm_msgb_alloc();