From a70d6b25c4943fd58de5b19597d98bec9da1b118 Mon Sep 17 00:00:00 2001
From: Neels Hofmeyr <nhofmeyr@sysmocom.de>
Date: Mon, 24 Apr 2023 18:12:44 +0200
Subject: [PATCH] fix length check in abis_rsl_rx_rll()

In abis_rsl_rx_rll(), we do the following header length check -- quick
challenge, can you spot the two bugs hidden here?

  struct abis_rsl_rll_hdr *rllh;
  if (msgb_l2len(msg) >
      sizeof(struct abis_rsl_common_hdr) + sizeof(*rllh))
           msg->l3h = &rllh->data[3];

Fix these bugs:

- struct abis_rsl_common_hdr is already included as the first member of
  abis_rsl_rll_hdr, no need to add that.
- We are going to be accessing rrlh->data[3], so we must check for at
  least sizeof(*rllh) + 4.

Change-Id: Ie4aee615c8c904ae8308ec0074d8bc5208137061
---
 src/osmo-bsc/abis_rsl.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/osmo-bsc/abis_rsl.c b/src/osmo-bsc/abis_rsl.c
index 637094205..2fc640b77 100644
--- a/src/osmo-bsc/abis_rsl.c
+++ b/src/osmo-bsc/abis_rsl.c
@@ -2500,8 +2500,7 @@ static int abis_rsl_rx_rll(struct msgb *msg)
 	switch (rllh->c.msg_type) {
 	case RSL_MT_DATA_IND:
 		LOG_LCHAN(msg->lchan, LOGL_DEBUG, "SAPI=%u DATA INDICATION\n", sapi);
-		if (msgb_l2len(msg) >
-		    sizeof(struct abis_rsl_common_hdr) + sizeof(*rllh) &&
+		if (msgb_l2len(msg) > (sizeof(*rllh) + 3) &&
 		    rllh->data[0] == RSL_IE_L3_INFO) {
 			msg->l3h = &rllh->data[3];
 			return gsm0408_rcvmsg(msg, rllh->link_id);
@@ -2543,8 +2542,7 @@ static int abis_rsl_rx_rll(struct msgb *msg)
 		msg->lchan->sapis[sapi] = LCHAN_SAPI_MS;
 		osmo_fsm_inst_dispatch(msg->lchan->fi, LCHAN_EV_RLL_ESTABLISH_IND, msg);
 
-		if (msgb_l2len(msg) >
-		    sizeof(struct abis_rsl_common_hdr) + sizeof(*rllh) &&
+		if (msgb_l2len(msg) > (sizeof(*rllh) + 3) &&
 		    rllh->data[0] == RSL_IE_L3_INFO) {
 			msg->l3h = &rllh->data[3];
 			return gsm0408_rcvmsg(msg, rllh->link_id);