Change in osmo-bsc[master]: abis_nm: always check return value of tlv_parse()

fixeria Thu, 21 Apr 2022 04:56:21 -0700

fixeria has uploaded this change for review. ( 
https://gerrit.osmocom.org/c/osmo-bsc/+/27865 )



Change subject: abis_nm: always check return value of tlv_parse()
......................................................................

abis_nm: always check return value of tlv_parse()

Change-Id: Iecba34a96f71922ddd25028e7d3404f89b1106de
---
M src/osmo-bsc/abis_nm.c
1 file changed, 41 insertions(+), 10 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/65/27865/1

diff --git a/src/osmo-bsc/abis_nm.c b/src/osmo-bsc/abis_nm.c
index 1c21bc2..f7882ac 100644
--- a/src/osmo-bsc/abis_nm.c
+++ b/src/osmo-bsc/abis_nm.c
@@ -256,8 +256,12 @@

        new_state = *nm_state;

+       if (abis_nm_tlv_parse(&tp, bts, foh->data, oh->length - sizeof(*foh)) < 
0) {
+               LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", 
__func__);
+               return -EINVAL;
+       }
+
        DEBUGPFOH(DNM, foh, "STATE CHG: ");
-       abis_nm_tlv_parse(&tp, bts, foh->data, oh->length-sizeof(*foh));
        if (TLVP_PRESENT(&tp, NM_ATT_OPER_STATE)) {
                new_state.operational = *TLVP_VAL(&tp, NM_ATT_OPER_STATE);
                DEBUGPC(DNM, "OP_STATE=%s ",
@@ -375,8 +379,10 @@
        sd = talloc_zero(tall_bsc_ctx, struct nm_fail_rep_signal_data);
        OSMO_ASSERT(sd);

-       if (abis_nm_tlv_parse(&sd->tp, bts, foh->data, oh->length-sizeof(*foh)) 
< 0)
+       if (abis_nm_tlv_parse(&sd->tp, bts, foh->data, oh->length - 
sizeof(*foh)) < 0) {
+               LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", 
__func__);
                goto fail;
+       }

        if (TLVP_PRESENT(&sd->tp, NM_ATT_ADD_TEXT)) {
                const uint8_t *val = TLVP_VAL(&sd->tp, NM_ATT_ADD_TEXT);
@@ -678,7 +684,11 @@
        /* After parsing unreported attribute id list inside Response info,
           there's a list of reported attribute ids and their values, in a TLV
           list form. */
-       abis_nm_tlv_parse(tp, bts, data, data_len);
+       if (abis_nm_tlv_parse(tp, bts, data, data_len) < 0) {
+               LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", 
__func__);
+               return -EINVAL;
+       }
+
        return parse_attr_resp_info_attr(bts, trx, foh, tp);
 }

@@ -698,7 +708,10 @@

        DEBUGPFOH(DNM, foh, "Get Attributes Response\n");

-       abis_nm_tlv_parse(&tp, bts, foh->data, oh->length-sizeof(*foh));
+       if (abis_nm_tlv_parse(&tp, bts, foh->data, oh->length - sizeof(*foh)) < 
0) {
+               LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", 
__func__);
+               return -EINVAL;
+       }

        /* nanoBTS doesn't send Get Attribute Response Info, uses its own 
format */
        if (bts->type != GSM_BTS_TYPE_NANOBTS)
@@ -734,7 +747,11 @@
                return ret;
        }

-       abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, 
oh->length-sizeof(*foh));
+       if (abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length - 
sizeof(*foh)) < 0) {
+               LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", 
__func__);
+               return -EINVAL;
+       }
+
        sw_config = TLVP_VAL(&tp, NM_ATT_SW_CONFIG);
        sw_config_len = TLVP_LEN(&tp, NM_ATT_SW_CONFIG);
        if (!TLVP_PRESENT(&tp, NM_ATT_SW_CONFIG)) {
@@ -771,7 +788,11 @@
        struct tlv_parsed tp;
        uint8_t adm_state;

-       abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, 
oh->length-sizeof(*foh));
+       if (abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length - 
sizeof(*foh)) < 0) {
+               LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", 
__func__);
+               return -EINVAL;
+       }
+
        if (!TLVP_PRESENT(&tp, NM_ATT_ADM_STATE))
                return -EINVAL;

@@ -790,8 +811,12 @@
        struct e1inp_sign_link *sign_link = mb->dst;
        struct tlv_parsed tp;

+       if (abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length - 
sizeof(*foh)) < 0) {
+               LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", 
__func__);
+               return -EINVAL;
+       }
+
        DEBUGPFOH(DNM, foh, "LMT Event ");
-       abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, 
oh->length-sizeof(*foh));
        if (TLVP_PRESENT(&tp, NM_ATT_BS11_LMT_LOGON_SESSION) &&
            TLVP_LEN(&tp, NM_ATT_BS11_LMT_LOGON_SESSION) >= 1) {
                uint8_t onoff = *TLVP_VAL(&tp, NM_ATT_BS11_LMT_LOGON_SESSION);
@@ -943,9 +968,12 @@
                struct nm_nack_signal_data nack_data;
                struct tlv_parsed tp;

-               LOGPFOH(DNM, LOGL_NOTICE, foh, "%s NACK ", 
abis_nm_nack_name(mt));
+               if (abis_nm_tlv_parse(&tp, bts, foh->data, oh->length - 
sizeof(*foh)) < 0) {
+                       LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse 
failed\n", __func__);
+                       return -EINVAL;
+               }

-               abis_nm_tlv_parse(&tp, bts, foh->data, oh->length-sizeof(*foh));
+               LOGPFOH(DNM, LOGL_NOTICE, foh, "%s NACK ", 
abis_nm_nack_name(mt));
                if (TLVP_PRESENT(&tp, NM_ATT_NACK_CAUSES))
                        LOGPC(DNM, LOGL_NOTICE, "CAUSE=%s\n",
                                abis_nm_nack_cause_name(*TLVP_VAL(&tp, 
NM_ATT_NACK_CAUSES)));
@@ -2838,7 +2866,10 @@
                return -EINVAL;
        }
 
-       abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, 
oh->length-sizeof(*foh));
+       if (abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length - 
sizeof(*foh)) < 0) {
+               LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", 
__func__);
+               return -EINVAL;
+       }

        /* The message might be received over the main OML link, so we cannot
         * just use sign_link->trx. Resolve it by number from the FOM header. */

--
To view, visit https://gerrit.osmocom.org/c/osmo-bsc/+/27865
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Change-Id: Iecba34a96f71922ddd25028e7d3404f89b1106de
Gerrit-Change-Number: 27865
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanits...@sysmocom.de>
Gerrit-MessageType: newchange

Change in osmo-bsc[master]: abis_nm: always check return value of tlv_parse()

Reply via email to