fixeria has uploaded this change for review. (
https://gerrit.osmocom.org/c/osmocom-bb/+/35601?usp=email )
Change subject: mobile: gsm48_mm_data_ind(): check if struct gsm48_hdr fits
......................................................................
mobile: gsm48_mm_data_ind(): check if struct gsm48_hdr fits
A similar check was recently added to gsm48_cc_data_ind().
Change-Id: Ibc5153df41e2c6365a3c65b1906d440a1074514b
Related: 273d412a "mobile: gsm48_cc_data_ind(): check if struct gsm48_hdr fits"
---
M src/host/layer23/src/mobile/gsm48_mm.c
1 file changed, 23 insertions(+), 3 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmocom-bb refs/changes/01/35601/1
diff --git a/src/host/layer23/src/mobile/gsm48_mm.c
b/src/host/layer23/src/mobile/gsm48_mm.c
index 16a9b07..ee457ad 100644
--- a/src/host/layer23/src/mobile/gsm48_mm.c
+++ b/src/host/layer23/src/mobile/gsm48_mm.c
@@ -4731,13 +4731,21 @@
struct gsm48_mmlayer *mm = &ms->mmlayer;
struct gsm48_rr_hdr *rrh = (struct gsm48_rr_hdr *)msg->data;
uint8_t sapi = rrh->sapi;
- struct gsm48_hdr *gh = msgb_l3(msg);
- uint8_t pdisc = gh->proto_discr & 0x0f;
- uint8_t msg_type = gh->msg_type & 0xbf;
+ const struct gsm48_hdr *gh = msgb_l3(msg);
+ uint8_t pdisc, msg_type;
int msg_supported = 0; /* determine, if message is supported at all */
uint8_t skip_ind;
int i, rc;
+ if (msgb_l3len(msg) < sizeof(*gh)) {
+ LOGP(DMM, LOGL_INFO, "%s(): short read of msgb: %s\n",
+ __func__, msgb_hexdump(msg));
+ return -EINVAL;
+ }
+
+ pdisc = gh->proto_discr & 0x0f;
+ msg_type = gh->msg_type & 0xbf;
+
/* 9.2.19 */
if (msg_type == GSM48_MT_MM_NULL) {
msgb_free(msg);
--
To view, visit https://gerrit.osmocom.org/c/osmocom-bb/+/35601?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: osmocom-bb
Gerrit-Branch: master
Gerrit-Change-Id: Ibc5153df41e2c6365a3c65b1906d440a1074514b
Gerrit-Change-Number: 35601
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <[email protected]>
Gerrit-MessageType: newchange
