libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer overrun
In ran_a_make_handover_request() we do prevent destination buffer (r.encryption_information.key) overflow, but not source buffer (n->geran.chosen_encryption->key) overrun if an incorrect key length is received. Let's fix this. Change-Id: I278bb72660634c2d535e1bd3d7fce5696da23575 Fixes: CID#198450 Out-of-bounds access
This commit is contained in:
parent
18e8b39fcd
commit
444771dae2
|
@ -1080,7 +1080,9 @@ struct msgb *ran_a_make_handover_request(struct osmo_fsm_inst *log_fi, const str
|
|||
/* Encryption Information */
|
||||
make_encrypt_info_perm_algo(log_fi, &r.encryption_information, n->geran.a5_encryption_mask, n->classmark);
|
||||
if (n->geran.chosen_encryption && n->geran.chosen_encryption->key_len) {
|
||||
if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key)) {
|
||||
/* Prevent both source / destination buffer overrun / overflow */
|
||||
if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key)
|
||||
|| n->geran.chosen_encryption->key_len > sizeof(n->geran.chosen_encryption->key)) {
|
||||
LOG_RAN_A_ENC(log_fi, LOGL_ERROR, "Handover Request: invalid chosen encryption key size %u\n",
|
||||
n->geran.chosen_encryption->key_len);
|
||||
return NULL;
|
||||
|
|
Loading…
Reference in New Issue