abis_rsl: guard against over long IMMEDIATE ASSIGNMENT Messages

The length parameter in rsl_imm_assign_cmd_common() may cause a buffer
overflow when it is chosen larger than GSM_MACBLOCK_LEN. Lets make sure
this cannot happen.

Change-Id: I9417b35fb8c0517f2555e17059bf8ac60fa59791

src/osmo-bsc/abis_rsl.c

@@ -930,10 +930,18 @@ int rsl_forward_layer3_info(struct gsm_lchan *lchan, const uint8_t *l3_info, uin
 /* Chapter 8.5.6 */
 struct msgb *rsl_imm_assign_cmd_common(const struct gsm_bts *bts, uint8_t len, const uint8_t *val)
 {
-	struct msgb *msg = rsl_msgb_alloc();
+	struct msgb *msg;
 	struct abis_rsl_dchan_hdr *dh;
 	uint8_t buf[GSM_MACBLOCK_LEN];
 
+	if (len > sizeof(buf)) {
+		LOGP(DRSL, LOGL_ERROR,
+		     "Cannot send IMMEDIATE ASSIGNMENT message with excessive length (%u)\n", len);
+		return NULL;
+	}
+
+	msg = rsl_msgb_alloc();
+
 	dh = (struct abis_rsl_dchan_hdr *) msgb_put(msg, sizeof(*dh));
 	init_dchan_hdr(dh, RSL_MT_IMMEDIATE_ASSIGN_CMD);
 	dh->chan_nr = RSL_CHAN_PCH_AGCH;