Patch Set 2: Code-Review-1 (2 comments)
https://gerrit.osmocom.org/#/c/5424/2/src/libmsc/a_iface_bssap.c File src/libmsc/a_iface_bssap.c: Line 328: msg->l3h = msgb_put(msg, TLVP_LEN(&tp, GSM0808_IE_LAYER_3_INFORMATION)); msgb_put() will panic if the length value provided in the data packet exceeds the length of the message buffer. So this could be used as a DoS attack vector. Could we compare the length value from the packet to msgb_l3len() and goto fail if the length value is larger? Line 425: msg->l3h = msgb_put(msg, TLVP_LEN(&tp, GSM0808_IE_LAYER_3_MESSAGE_CONTENTS)); Same problem. -- To view, visit https://gerrit.osmocom.org/5424 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I28073efd5cff58cd212341bceee784caf08d5ad8 Gerrit-PatchSet: 2 Gerrit-Project: osmo-msc Gerrit-Branch: master Gerrit-Owner: Pau Espin Pedrol <pes...@sysmocom.de> Gerrit-Reviewer: Harald Welte <lafo...@gnumonks.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: Pau Espin Pedrol <pes...@sysmocom.de> Gerrit-Reviewer: Stefan Sperling <ssperl...@sysmocom.de> Gerrit-HasComments: Yes
