abis_rsl: guard against over long IMMEDIATE ASSIGNMENT Messages
The length parameter in rsl_imm_assign_cmd_common() may cause a buffer overflow when it is chosen larger than GSM_MACBLOCK_LEN. Lets make sure this cannot happen. Change-Id: I9417b35fb8c0517f2555e17059bf8ac60fa59791
This commit is contained in:
parent
7747fecdbe
commit
52b74175dd
|
@ -930,10 +930,18 @@ int rsl_forward_layer3_info(struct gsm_lchan *lchan, const uint8_t *l3_info, uin
|
|||
/* Chapter 8.5.6 */
|
||||
struct msgb *rsl_imm_assign_cmd_common(const struct gsm_bts *bts, uint8_t len, const uint8_t *val)
|
||||
{
|
||||
struct msgb *msg = rsl_msgb_alloc();
|
||||
struct msgb *msg;
|
||||
struct abis_rsl_dchan_hdr *dh;
|
||||
uint8_t buf[GSM_MACBLOCK_LEN];
|
||||
|
||||
if (len > sizeof(buf)) {
|
||||
LOGP(DRSL, LOGL_ERROR,
|
||||
"Cannot send IMMEDIATE ASSIGNMENT message with excessive length (%u)\n", len);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
msg = rsl_msgb_alloc();
|
||||
|
||||
dh = (struct abis_rsl_dchan_hdr *) msgb_put(msg, sizeof(*dh));
|
||||
init_dchan_hdr(dh, RSL_MT_IMMEDIATE_ASSIGN_CMD);
|
||||
dh->chan_nr = RSL_CHAN_PCH_AGCH;
|
||||
|
|
Loading…
Reference in New Issue