[MERGED] openbsc[master]: libmsc: gsm340_gen_oa_sub() may return negative value

Thu, 10 Aug 2017 13:17:28 -0700 

Harald Welte has submitted this change and it was merged.

Change subject: libmsc: gsm340_gen_oa_sub() may return negative value
......................................................................


libmsc: gsm340_gen_oa_sub() may return negative value

gsm340_gen_oa() returns a negative value if the output buffer that the
caller passes is too small, so we have to check the return value of this
function.

Fixes: CID 174178
Fixes: CID 174179
Change-Id: I47215d7d89771730a7f84efa8aeeb187a0911fdb
---
M openbsc/src/libmsc/gsm_04_11.c
1 file changed, 9 insertions(+), 2 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/openbsc/src/libmsc/gsm_04_11.c b/openbsc/src/libmsc/gsm_04_11.c
index 73e0f55..8b4ffce 100644
--- a/openbsc/src/libmsc/gsm_04_11.c
+++ b/openbsc/src/libmsc/gsm_04_11.c
@@ -213,9 +213,9 @@
 {
        uint8_t *smsp;
        uint8_t oa[12]; /* max len per 03.40 */
-       uint8_t oa_len = 0;
        uint8_t octet_len;
        unsigned int old_msg_len = msg->len;
+       int oa_len;
 
        /* generate first octet with masked bits */
        smsp = msgb_put(msg, 1);
@@ -233,6 +233,9 @@
 
        /* generate originator address */
        oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->src);
+       if (oa_len < 0)
+               return -ENOSPC;
+
        smsp = msgb_put(msg, oa_len);
        memcpy(smsp, oa, oa_len);
 
@@ -282,9 +285,9 @@
                                             struct gsm_sms *sms)
 {
        unsigned int old_msg_len = msg->len;
-       uint8_t oa_len = 0;
        uint8_t oa[12]; /* max len per 03.40 */
        uint8_t *smsp;
+       int oa_len;
 
        /* generate first octet with masked bits */
        smsp = msgb_put(msg, 1);
@@ -296,8 +299,12 @@
        /* TP-MR (message reference) */
        smsp = msgb_put(msg, 1);
        *smsp = sms->msg_ref;
+
        /* generate recipient address */
        oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->dst);
+       if (oa_len < 0)
+               return -ENOSPC;
+
        smsp = msgb_put(msg, oa_len);
        memcpy(smsp, oa, oa_len);
 

-- 
To view, visit https://gerrit.osmocom.org/3461
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I47215d7d89771730a7f84efa8aeeb187a0911fdb
Gerrit-PatchSet: 1
Gerrit-Project: openbsc
Gerrit-Branch: master
Gerrit-Owner: Pablo Neira Ayuso <pa...@gnumonks.org>
Gerrit-Reviewer: Harald Welte <lafo...@gnumonks.org>
Gerrit-Reviewer: Jenkins Builder

Reply via email to