fixeria has submitted this change. (
https://gerrit.osmocom.org/c/osmocom-bb/+/30359 )
Change subject: layer23: always check return value of rsl_tlv_parse()
......................................................................
layer23: always check return value of rsl_tlv_parse()
Similar to rsl_dec_chan_nr(), this function may also fail, leaving
the given struct tlv_parsed uninitialized.
Change-Id: I13f2a97eeff78ca8ed7d0a2844e4fca430ec7768
Related: OS#5599
---
M src/host/layer23/src/misc/app_cbch_sniff.c
M src/host/layer23/src/misc/cell_log.c
M src/host/layer23/src/misc/rslms.c
M src/host/layer23/src/mobile/gsm48_rr.c
4 files changed, 20 insertions(+), 4 deletions(-)
Approvals:
Jenkins Builder: Verified
laforge: Looks good to me, but someone else must approve
pespin: Looks good to me, approved
diff --git a/src/host/layer23/src/misc/app_cbch_sniff.c
b/src/host/layer23/src/misc/app_cbch_sniff.c
index 3ef1449..76d4537 100644
--- a/src/host/layer23/src/misc/app_cbch_sniff.c
+++ b/src/host/layer23/src/misc/app_cbch_sniff.c
@@ -111,7 +111,11 @@
DEBUGP(DRSL, "RSLms UNIT DATA IND chan_nr=0x%02x link_id=0x%02x\n",
rllh->chan_nr, rllh->link_id);
- rsl_tlv_parse(&tv, rllh->data, msgb_l2len(msg)-sizeof(*rllh));
+ if (rsl_tlv_parse(&tv, rllh->data, msgb_l2len(msg) - sizeof(*rllh)) <
0) {
+ LOGP(DRSL, LOGL_ERROR, "%s(): rsl_tlv_parse() failed\n",
__func__);
+ return -EINVAL;
+ }
+
if (!TLVP_PRESENT(&tv, RSL_IE_L3_INFO)) {
DEBUGP(DRSL, "UNIT_DATA_IND without L3 INFO ?!?\n");
return -EIO;
diff --git a/src/host/layer23/src/misc/cell_log.c
b/src/host/layer23/src/misc/cell_log.c
index 3cd34b8..f01b87e 100644
--- a/src/host/layer23/src/misc/cell_log.c
+++ b/src/host/layer23/src/misc/cell_log.c
@@ -669,7 +669,11 @@
DEBUGP(DRSL, "RSLms UNIT DATA IND chan_nr=0x%02x link_id=0x%02x\n",
rllh->chan_nr, rllh->link_id);
- rsl_tlv_parse(&tv, rllh->data, msgb_l2len(msg)-sizeof(*rllh));
+ if (rsl_tlv_parse(&tv, rllh->data, msgb_l2len(msg) - sizeof(*rllh)) <
0) {
+ LOGP(DRSL, LOGL_ERROR, "%s(): rsl_tlv_parse() failed\n",
__func__);
+ return -EINVAL;
+ }
+
if (!TLVP_PRESENT(&tv, RSL_IE_L3_INFO)) {
DEBUGP(DRSL, "UNIT_DATA_IND without L3 INFO ?!?\n");
return -EIO;
diff --git a/src/host/layer23/src/misc/rslms.c
b/src/host/layer23/src/misc/rslms.c
index b729c1c..f7f6fcd 100644
--- a/src/host/layer23/src/misc/rslms.c
+++ b/src/host/layer23/src/misc/rslms.c
@@ -61,7 +61,11 @@
DEBUGP(DRSL, "RSLms UNIT DATA IND chan_nr=0x%02x link_id=0x%02x\n",
rllh->chan_nr, rllh->link_id);
- rsl_tlv_parse(&tv, rllh->data, msgb_l2len(msg)-sizeof(*rllh));
+ if (rsl_tlv_parse(&tv, rllh->data, msgb_l2len(msg) - sizeof(*rllh)) <
0) {
+ LOGP(DRSL, LOGL_ERROR, "%s(): rsl_tlv_parse() failed\n",
__func__);
+ return -EINVAL;
+ }
+
if (!TLVP_PRESENT(&tv, RSL_IE_L3_INFO)) {
DEBUGP(DRSL, "UNIT_DATA_IND without L3 INFO ?!?\n");
return -EIO;
diff --git a/src/host/layer23/src/mobile/gsm48_rr.c
b/src/host/layer23/src/mobile/gsm48_rr.c
index 884e426..2d89d7a 100644
--- a/src/host/layer23/src/mobile/gsm48_rr.c
+++ b/src/host/layer23/src/mobile/gsm48_rr.c
@@ -4873,7 +4873,11 @@
DEBUGP(DRSL, "RSLms UNIT DATA IND chan_nr=0x%02x link_id=0x%02x\n",
rllh->chan_nr, rllh->link_id);
- rsl_tlv_parse(&tv, rllh->data, msgb_l2len(msg)-sizeof(*rllh));
+ if (rsl_tlv_parse(&tv, rllh->data, msgb_l2len(msg) - sizeof(*rllh)) <
0) {
+ LOGP(DRSL, LOGL_ERROR, "%s(): rsl_tlv_parse() failed\n",
__func__);
+ return -EINVAL;
+ }
+
if (!TLVP_PRESENT(&tv, RSL_IE_L3_INFO)) {
DEBUGP(DRSL, "UNIT_DATA_IND without L3 INFO ?!?\n");
return -EIO;
--
To view, visit https://gerrit.osmocom.org/c/osmocom-bb/+/30359
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: osmocom-bb
Gerrit-Branch: master
Gerrit-Change-Id: I13f2a97eeff78ca8ed7d0a2844e4fca430ec7768
Gerrit-Change-Number: 30359
Gerrit-PatchSet: 2
Gerrit-Owner: fixeria <vyanits...@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanits...@sysmocom.de>
Gerrit-Reviewer: laforge <lafo...@osmocom.org>
Gerrit-Reviewer: pespin <pes...@sysmocom.de>
Gerrit-MessageType: merged
