neels has uploaded this change for review. (
https://gerrit.osmocom.org/c/libosmo-sccp/+/37994?usp=email )
Change subject: coverity CID#272968 CID#272939
......................................................................
coverity CID#272968 CID#272939
properly bounds-check received value (offset) before calculating
msgb_l2len(msgb) - offset.
Change-Id: Ic6823cf077ef15ef1f6e209bf53384913911f93e
---
M src/sccp.c
1 file changed, 7 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/libosmo-sccp refs/changes/94/37994/1
diff --git a/src/sccp.c b/src/sccp.c
index 85bea6d..c348b9e 100644
--- a/src/sccp.c
+++ b/src/sccp.c
@@ -158,9 +158,15 @@
static int _sccp_parse_optional_data(const int offset,
struct msgb *msgb, struct
sccp_optional_data *data)
{
- uint16_t room = msgb_l2len(msgb) - offset;
+ uint16_t room;
uint16_t read = 0;
+ /* sanity: make sure no optional_start value received on the wire (that
callers typically pass as 'offset'
+ * argument) takes us past the message buffer boundaries (CID#272968
and others) */
+ if (offset >= msgb_l2len(msgb))
+ return 0;
+
+ room = msgb_l2len(msgb) - offset;
while (room > read) {
uint8_t type = msgb->l2h[offset + read];
if (type == SCCP_PNC_END_OF_OPTIONAL)
--
To view, visit https://gerrit.osmocom.org/c/libosmo-sccp/+/37994?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: libosmo-sccp
Gerrit-Branch: master
Gerrit-Change-Id: Ic6823cf077ef15ef1f6e209bf53384913911f93e
Gerrit-Change-Number: 37994
Gerrit-PatchSet: 1
Gerrit-Owner: neels <[email protected]>
