cellular-infrastructure
/
osmo-ggsn
mirror of https://gerrit.osmocom.org/osmo-ggsn
9
0
Fork 0
Code Issues Releases Wiki Activity

ggsn: fix misinterpreted length field in ipcp_contains_option() 

The abort condition of the while loop in ipcp_contains_option()
is accessing ipcp->len directly. Unfortunately this field is an
uint16_t which as to be interpreted as little endian value. If
it is used without prior conversion the value may appear larger
than actually intended and the loop will then not stop at the
end of end of the buffer.

This can cause unpredictable results when the value given with
the parameter enum ipcp_options opt is not found.

The loop will then eventually cause a segmentation fauld or
is likely to hang as soon as cur_opt->len points to a zero
byte in memory.

- Make sure that ipcp->len interpreted correctly by accessing
  it through ntohs()

Change-Id: Icffde89f9bc5d8fcadf6e2dd6c0b4de03440edd5
Related: OS#3288
This commit is contained in:
Philipp Maier 2018-05-28 17:35:03 +02:00
parent 906c2099da
commit 0d95ca59f9
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ggsn/ggsn.c
View File

@ -418,7 +418,7 @@ static struct ipcp_option_hdr *ipcp_contains_option(struct ipcp_hdr *ipcp, enum
uint8_t *cur = ipcp->options;
/* iterate over Options and check if protocol contained */
while (cur + 2 <= ((uint8_t *)ipcp) + ipcp->len) {
while (cur + 2 <= ((uint8_t *)ipcp) + ntohs(ipcp->len)) {
struct ipcp_option_hdr *cur_opt = (struct ipcp_option_hdr *) cur;
if (cur_opt->type == opt)
return cur_opt;