Harald Welte has submitted this change and it was merged.
Change subject: prevent integer underflow in ipa_ccm_make_id_resp_from_req()
......................................................................
prevent integer underflow in ipa_ccm_make_id_resp_from_req()
don't blindly trust the tag-length value in an IPA CCM ID GET
message. This could result in a remotely-triggered integer underflow.
Change-Id: I4723361e1094b358310541a7dc4c5c921c778a15
---
M src/gsm/ipa.c
1 file changed, 6 insertions(+), 1 deletion(-)
Approvals:
Harald Welte: Looks good to me, approved
Jenkins Builder: Verified
diff --git a/src/gsm/ipa.c b/src/gsm/ipa.c
index e03f615..0c7aaad 100644
--- a/src/gsm/ipa.c
+++ b/src/gsm/ipa.c
@@ -328,7 +328,12 @@
ies[num_ies++] = t_tag;
cur += t_len;
- len -= t_len;
+ /* prevent any unsigned integer underflow due to somebody
sending us
+ * messages with wrong length values */
+ if (len <= t_len)
+ len -= t_len;
+ else
+ len = 0;
}
return ipa_ccm_make_id_resp(dev, ies, num_ies);
}
--
To view, visit https://gerrit.osmocom.org/7840
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I4723361e1094b358310541a7dc4c5c921c778a15
Gerrit-PatchSet: 2
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <[email protected]>
Gerrit-Reviewer: Harald Welte <[email protected]>
Gerrit-Reviewer: Jenkins Builder
