Change in osmo-msc[master]: libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer overrun

Mon, 13 May 2019 13:15:23 -0700 

Harald Welte has submitted this change and it was merged. ( 
https://gerrit.osmocom.org/13982 )

Change subject: libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer 
overrun
......................................................................

libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer overrun

In ran_a_make_handover_request() we do prevent destination buffer
(r.encryption_information.key) overflow, but not source buffer
(n->geran.chosen_encryption->key) overrun if an incorrect key
length is received. Let's fix this.

Change-Id: I278bb72660634c2d535e1bd3d7fce5696da23575
Fixes: CID#198450 Out-of-bounds access
---
M src/libmsc/ran_msg_a.c
1 file changed, 3 insertions(+), 1 deletion(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/libmsc/ran_msg_a.c b/src/libmsc/ran_msg_a.c
index 21be896..805308c 100644
--- a/src/libmsc/ran_msg_a.c
+++ b/src/libmsc/ran_msg_a.c
@@ -1080,7 +1080,9 @@
        /* Encryption Information */
        make_encrypt_info_perm_algo(log_fi, &r.encryption_information, 
n->geran.a5_encryption_mask, n->classmark);
        if (n->geran.chosen_encryption && n->geran.chosen_encryption->key_len) {
-               if (n->geran.chosen_encryption->key_len > 
sizeof(r.encryption_information.key)) {
+               /* Prevent both source / destination buffer overrun / overflow 
*/
+               if (n->geran.chosen_encryption->key_len > 
sizeof(r.encryption_information.key)
+                   || n->geran.chosen_encryption->key_len > 
sizeof(n->geran.chosen_encryption->key)) {
                        LOG_RAN_A_ENC(log_fi, LOGL_ERROR, "Handover Request: 
invalid chosen encryption key size %u\n",
                                       n->geran.chosen_encryption->key_len);
                        return NULL;

--
To view, visit https://gerrit.osmocom.org/13982
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I278bb72660634c2d535e1bd3d7fce5696da23575
Gerrit-Change-Number: 13982
Gerrit-PatchSet: 4
Gerrit-Owner: Vadim Yanitskiy <[email protected]>
Gerrit-Reviewer: Harald Welte <[email protected]>
Gerrit-Reviewer: Jenkins Builder (1000002)

Reply via email to