[S] Change in osmo-bsc[master]: fix length check in abis_rsl_rx_rll()

Sun, 30 Apr 2023 17:12:03 -0700 

neels has submitted this change. ( 
https://gerrit.osmocom.org/c/osmo-bsc/+/32421 )

Change subject: fix length check in abis_rsl_rx_rll()
......................................................................

fix length check in abis_rsl_rx_rll()

In abis_rsl_rx_rll(), we do the following header length check -- quick
challenge, can you spot the two bugs hidden here?

  struct abis_rsl_rll_hdr *rllh;
  if (msgb_l2len(msg) >
      sizeof(struct abis_rsl_common_hdr) + sizeof(*rllh))
           msg->l3h = &rllh->data[3];

Fix these bugs:

- struct abis_rsl_common_hdr is already included as the first member of
  abis_rsl_rll_hdr, no need to add that.
- We are going to be accessing rrlh->data[3], so we must check for at
  least sizeof(*rllh) + 4.

Change-Id: Ie4aee615c8c904ae8308ec0074d8bc5208137061
---
M src/osmo-bsc/abis_rsl.c
1 file changed, 26 insertions(+), 4 deletions(-)

Approvals:
  laforge: Looks good to me, but someone else must approve
  fixeria: Looks good to me, approved
  pespin: Looks good to me, but someone else must approve
  Jenkins Builder: Verified




diff --git a/src/osmo-bsc/abis_rsl.c b/src/osmo-bsc/abis_rsl.c
index 6370942..2fc640b 100644
--- a/src/osmo-bsc/abis_rsl.c
+++ b/src/osmo-bsc/abis_rsl.c
@@ -2500,8 +2500,7 @@
        switch (rllh->c.msg_type) {
        case RSL_MT_DATA_IND:
                LOG_LCHAN(msg->lchan, LOGL_DEBUG, "SAPI=%u DATA INDICATION\n", 
sapi);
-               if (msgb_l2len(msg) >
-                   sizeof(struct abis_rsl_common_hdr) + sizeof(*rllh) &&
+               if (msgb_l2len(msg) > (sizeof(*rllh) + 3) &&
                    rllh->data[0] == RSL_IE_L3_INFO) {
                        msg->l3h = &rllh->data[3];
                        return gsm0408_rcvmsg(msg, rllh->link_id);
@@ -2543,8 +2542,7 @@
                msg->lchan->sapis[sapi] = LCHAN_SAPI_MS;
                osmo_fsm_inst_dispatch(msg->lchan->fi, 
LCHAN_EV_RLL_ESTABLISH_IND, msg);

-               if (msgb_l2len(msg) >
-                   sizeof(struct abis_rsl_common_hdr) + sizeof(*rllh) &&
+               if (msgb_l2len(msg) > (sizeof(*rllh) + 3) &&
                    rllh->data[0] == RSL_IE_L3_INFO) {
                        msg->l3h = &rllh->data[3];
                        return gsm0408_rcvmsg(msg, rllh->link_id);

--
To view, visit https://gerrit.osmocom.org/c/osmo-bsc/+/32421
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Change-Id: Ie4aee615c8c904ae8308ec0074d8bc5208137061
Gerrit-Change-Number: 32421
Gerrit-PatchSet: 3
Gerrit-Owner: neels <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <[email protected]>
Gerrit-Reviewer: laforge <[email protected]>
Gerrit-Reviewer: neels <[email protected]>
Gerrit-Reviewer: pespin <[email protected]>
Gerrit-CC: msuraev <[email protected]>
Gerrit-MessageType: merged

Reply via email to