fix length check in abis_rsl_rx_rll()
In abis_rsl_rx_rll(), we do the following header length check -- quick challenge, can you spot the two bugs hidden here? struct abis_rsl_rll_hdr *rllh; if (msgb_l2len(msg) > sizeof(struct abis_rsl_common_hdr) + sizeof(*rllh)) msg->l3h = &rllh->data[3]; Fix these bugs: - struct abis_rsl_common_hdr is already included as the first member of abis_rsl_rll_hdr, no need to add that. - We are going to be accessing rrlh->data[3], so we must check for at least sizeof(*rllh) + 4. Change-Id: Ie4aee615c8c904ae8308ec0074d8bc5208137061
This commit is contained in:
parent
ea3e3c258d
commit
a70d6b25c4
|
@ -2500,8 +2500,7 @@ static int abis_rsl_rx_rll(struct msgb *msg)
|
|||
switch (rllh->c.msg_type) {
|
||||
case RSL_MT_DATA_IND:
|
||||
LOG_LCHAN(msg->lchan, LOGL_DEBUG, "SAPI=%u DATA INDICATION\n", sapi);
|
||||
if (msgb_l2len(msg) >
|
||||
sizeof(struct abis_rsl_common_hdr) + sizeof(*rllh) &&
|
||||
if (msgb_l2len(msg) > (sizeof(*rllh) + 3) &&
|
||||
rllh->data[0] == RSL_IE_L3_INFO) {
|
||||
msg->l3h = &rllh->data[3];
|
||||
return gsm0408_rcvmsg(msg, rllh->link_id);
|
||||
|
@ -2543,8 +2542,7 @@ static int abis_rsl_rx_rll(struct msgb *msg)
|
|||
msg->lchan->sapis[sapi] = LCHAN_SAPI_MS;
|
||||
osmo_fsm_inst_dispatch(msg->lchan->fi, LCHAN_EV_RLL_ESTABLISH_IND, msg);
|
||||
|
||||
if (msgb_l2len(msg) >
|
||||
sizeof(struct abis_rsl_common_hdr) + sizeof(*rllh) &&
|
||||
if (msgb_l2len(msg) > (sizeof(*rllh) + 3) &&
|
||||
rllh->data[0] == RSL_IE_L3_INFO) {
|
||||
msg->l3h = &rllh->data[3];
|
||||
return gsm0408_rcvmsg(msg, rllh->link_id);
|
||||
|
|
Loading…
Reference in New Issue