libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer overrun

In ran_a_make_handover_request() we do prevent destination buffer
(r.encryption_information.key) overflow, but not source buffer
(n->geran.chosen_encryption->key) overrun if an incorrect key
length is received. Let's fix this.

Change-Id: I278bb72660634c2d535e1bd3d7fce5696da23575
Fixes: CID#198450 Out-of-bounds access
This commit is contained in:
Vadim Yanitskiy 2019-05-11 04:46:24 +07:00 committed by Harald Welte
parent 18e8b39fcd
commit 444771dae2
1 changed files with 3 additions and 1 deletions

View File

@ -1080,7 +1080,9 @@ struct msgb *ran_a_make_handover_request(struct osmo_fsm_inst *log_fi, const str
/* Encryption Information */
make_encrypt_info_perm_algo(log_fi, &r.encryption_information, n->geran.a5_encryption_mask, n->classmark);
if (n->geran.chosen_encryption && n->geran.chosen_encryption->key_len) {
if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key)) {
/* Prevent both source / destination buffer overrun / overflow */
if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key)
|| n->geran.chosen_encryption->key_len > sizeof(n->geran.chosen_encryption->key)) {
LOG_RAN_A_ENC(log_fi, LOGL_ERROR, "Handover Request: invalid chosen encryption key size %u\n",
n->geran.chosen_encryption->key_len);
return NULL;