cellular-infrastructure
/
osmo-bts
mirror of https://gerrit.osmocom.org/osmo-bts
9
0
Fork 0
Code Issues Releases Wiki Activity

rsl: parse RSL_IE_OSMO_OSMUX_CID correctly 

This IE has TLV format, even though the only valid form is a single
value octet.  To guard against pathological input with L=0 in this IE,
we have to check the length explicitly with TLVP_PRES_LEN before
accepting TLVP_VAL as if it was TV.

Change-Id: I15fa75b6c30d7fa0bf50424d25fc47a088dada0a
This commit is contained in:
Mychaela N. Falconia 2024-05-22 17:49:15 +00:00
parent b7aa08f69b
commit e01cf27678
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/common/rsl.c
View File

@ -2978,7 +2978,8 @@ static int rsl_rx_ipac_XXcx(struct msgb *msg)
struct tlv_parsed tp;
struct gsm_lchan *lchan = msg->lchan;
struct gsm_bts *bts = lchan->ts->trx->bts;
const uint8_t *payload_type, *speech_mode, *payload_type2, *osmux_cid, *csd_fmt;
const uint8_t *payload_type, *speech_mode, *payload_type2, *csd_fmt;
const uint8_t *osmux_cid = NULL;
uint32_t connect_ip = 0;
uint16_t connect_port = 0;
int rc, inc_ip_port = 0;
@ -3029,7 +3030,9 @@ static int rsl_rx_ipac_XXcx(struct msgb *msg)
if (payload_type2)
LOGPC(DRSL, LOGL_DEBUG, "payload_type2=%u ", *payload_type2);
osmux_cid = TLVP_VAL(&tp, RSL_IE_OSMO_OSMUX_CID);
/* this IE has TLV format when TV would have been good enough */
if (TLVP_PRES_LEN(&tp, RSL_IE_OSMO_OSMUX_CID, 1))
osmux_cid = TLVP_VAL(&tp, RSL_IE_OSMO_OSMUX_CID);
if (osmux_cid)
LOGPC(DRSL, LOGL_DEBUG, "osmux_cid=%u ", *osmux_cid);