phone-side
/
osmocom-bb
mirror of https://gerrit.osmocom.org/osmocom-bb
9
0
Fork 0
Code Issues Releases Wiki Activity

layer23/l1ctl.c: fix: verify msg length using l1h, not l2h 

The actual L1CTL header is pointed by 'msg->l1h', not 'l2h'!
Since msg->l2h is NULL (because nobody set it), the result of
msgb_l2len() would always be bigger than size of L1CTL header,
as it is calculated in the following way:

  return msgb->tail - (uint8_t *)msgb_l2(msgb);

So, in case if 'msg->l2h' is NULL, it turns into:

  return msgb->tail - 0;

Change-Id: I7fe2e00bb45ba07c9bb7438445eededfa09c96f3
This commit is contained in:
Vadim Yanitskiy 2018-10-03 06:22:16 +07:00
parent 7c04a6066e
commit d02927b036
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/host/layer23/src/common/l1ctl.c
View File

@ -874,9 +874,10 @@ int l1ctl_recv(struct osmocom_ms *ms, struct msgb *msg)
int rc = 0;
struct l1ctl_hdr *l1h;
if (msgb_l2len(msg) < sizeof(*l1h)) {
LOGP(DL1C, LOGL_ERROR, "Short Layer2 message: %u\n",
msgb_l2len(msg));
/* Make sure a message has L1CTL header (pointed by msg->l1h) */
if (msgb_l1len(msg) < sizeof(*l1h)) {
LOGP(DL1C, LOGL_ERROR, "Short L1CTL message, "
"missing the header (len=%u)\n", msgb_l1len(msg));
msgb_free(msg);
return -1;
}