laforge has submitted this change. (
https://gerrit.osmocom.org/c/osmo-bsc/+/31577 )
Change subject: abis_rsl: guard against over long IMMEDIATE ASSIGNMENT Messages
......................................................................
abis_rsl: guard against over long IMMEDIATE ASSIGNMENT Messages
The length parameter in rsl_imm_assign_cmd_common() may cause a buffer
overflow when it is chosen larger than GSM_MACBLOCK_LEN. Lets make sure
this cannot happen.
Change-Id: I9417b35fb8c0517f2555e17059bf8ac60fa59791
---
M src/osmo-bsc/abis_rsl.c
1 file changed, 22 insertions(+), 1 deletion(-)
Approvals:
Jenkins Builder: Verified
fixeria: Looks good to me, approved
laforge: Looks good to me, approved
diff --git a/src/osmo-bsc/abis_rsl.c b/src/osmo-bsc/abis_rsl.c
index ee2e2d3..7eb3a43 100644
--- a/src/osmo-bsc/abis_rsl.c
+++ b/src/osmo-bsc/abis_rsl.c
@@ -930,10 +930,18 @@
/* Chapter 8.5.6 */
struct msgb *rsl_imm_assign_cmd_common(const struct gsm_bts *bts, uint8_t len,
const uint8_t *val)
{
- struct msgb *msg = rsl_msgb_alloc();
+ struct msgb *msg;
struct abis_rsl_dchan_hdr *dh;
uint8_t buf[GSM_MACBLOCK_LEN];
+ if (len > sizeof(buf)) {
+ LOGP(DRSL, LOGL_ERROR,
+ "Cannot send IMMEDIATE ASSIGNMENT message with excessive
length (%u)\n", len);
+ return NULL;
+ }
+
+ msg = rsl_msgb_alloc();
+
dh = (struct abis_rsl_dchan_hdr *) msgb_put(msg, sizeof(*dh));
init_dchan_hdr(dh, RSL_MT_IMMEDIATE_ASSIGN_CMD);
dh->chan_nr = RSL_CHAN_PCH_AGCH;
--
To view, visit https://gerrit.osmocom.org/c/osmo-bsc/+/31577
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Change-Id: I9417b35fb8c0517f2555e17059bf8ac60fa59791
Gerrit-Change-Number: 31577
Gerrit-PatchSet: 6
Gerrit-Owner: dexter <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <[email protected]>
Gerrit-Reviewer: laforge <[email protected]>
Gerrit-Reviewer: pespin <[email protected]>
Gerrit-MessageType: merged
