cellular-infrastructure
/
osmo-bsc
mirror of https://gerrit.osmocom.org/osmo-bsc
9
0
Fork 0
Code Issues Releases Wiki Activity

fix length check in abis_rsl_rx_rll() 

In abis_rsl_rx_rll(), we do the following header length check -- quick
challenge, can you spot the two bugs hidden here?

  struct abis_rsl_rll_hdr *rllh;
  if (msgb_l2len(msg) >
      sizeof(struct abis_rsl_common_hdr) + sizeof(*rllh))
           msg->l3h = &rllh->data[3];

Fix these bugs:

- struct abis_rsl_common_hdr is already included as the first member of
  abis_rsl_rll_hdr, no need to add that.
- We are going to be accessing rrlh->data[3], so we must check for at
  least sizeof(*rllh) + 4.

Change-Id: Ie4aee615c8c904ae8308ec0074d8bc5208137061
This commit is contained in:
Neels Hofmeyr 2023-04-24 18:12:44 +02:00 committed by neels
parent ea3e3c258d
commit a70d6b25c4
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/osmo-bsc/abis_rsl.c
View File

@ -2500,8 +2500,7 @@ static int abis_rsl_rx_rll(struct msgb *msg)
switch (rllh->c.msg_type) {
case RSL_MT_DATA_IND:
LOG_LCHAN(msg->lchan, LOGL_DEBUG, "SAPI=%u DATA INDICATION\n", sapi);
if (msgb_l2len(msg) >
sizeof(struct abis_rsl_common_hdr) + sizeof(*rllh) &&
if (msgb_l2len(msg) > (sizeof(*rllh) + 3) &&
rllh->data[0] == RSL_IE_L3_INFO) {
msg->l3h = &rllh->data[3];
return gsm0408_rcvmsg(msg, rllh->link_id);
@ -2543,8 +2542,7 @@ static int abis_rsl_rx_rll(struct msgb *msg)
msg->lchan->sapis[sapi] = LCHAN_SAPI_MS;
osmo_fsm_inst_dispatch(msg->lchan->fi, LCHAN_EV_RLL_ESTABLISH_IND, msg);
if (msgb_l2len(msg) >
sizeof(struct abis_rsl_common_hdr) + sizeof(*rllh) &&
if (msgb_l2len(msg) > (sizeof(*rllh) + 3) &&
rllh->data[0] == RSL_IE_L3_INFO) {
msg->l3h = &rllh->data[3];
return gsm0408_rcvmsg(msg, rllh->link_id);