Change in libosmo-netif[master]: amr: be sure result of osmo_amr_bwe_to_oa() fits into int buf
dexter has submitted this change and it was merged. ( https://gerrit.osmocom.org/13211 ) Change subject: amr: be sure result of osmo_amr_bwe_to_oa() fits into int buf .. amr: be sure result of osmo_amr_bwe_to_oa() fits into int buf osmo_amr_bwe_to_oa() uses an internal buffer with static size to store intermediate results. The buffer is large enough for any real world situation, but the check that tests if the result would fit into the internal buffer is incorrect. It checks if there is enough room for the existing payload, but does not include the expected growth of the payload. Eventually the buffer could be overrun by one byte if one would put a 256 byte long AMR payload. Fixes: CID#195926 Change-Id: I4d7ac570a0b48368a82183673c46bca5f235f228 --- M src/amr.c 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Jenkins Builder: Verified Max: Looks good to me, but someone else must approve Pau Espin Pedrol: Looks good to me, approved diff --git a/src/amr.c b/src/amr.c index 9b423e8..9c63f60 100644 --- a/src/amr.c +++ b/src/amr.c @@ -158,7 +158,7 @@ if (payload_len + 1 > payload_maxlen) return -1; - if (payload_len > sizeof(buf)) + if (payload_len + 1 > sizeof(buf)) return -1; buf[0] = payload[0] & 0xf0; -- To view, visit https://gerrit.osmocom.org/13211 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-netif Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I4d7ac570a0b48368a82183673c46bca5f235f228 Gerrit-Change-Number: 13211 Gerrit-PatchSet: 1 Gerrit-Owner: dexter Gerrit-Reviewer: Jenkins Builder (102) Gerrit-Reviewer: Max Gerrit-Reviewer: Pau Espin Pedrol Gerrit-Reviewer: dexter
Change in libosmo-netif[master]: amr: be sure result of osmo_amr_bwe_to_oa() fits into int buf
Pau Espin Pedrol has posted comments on this change. ( https://gerrit.osmocom.org/13211 ) Change subject: amr: be sure result of osmo_amr_bwe_to_oa() fits into int buf .. Patch Set 1: Code-Review+2 -- To view, visit https://gerrit.osmocom.org/13211 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-netif Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I4d7ac570a0b48368a82183673c46bca5f235f228 Gerrit-Change-Number: 13211 Gerrit-PatchSet: 1 Gerrit-Owner: dexter Gerrit-Reviewer: Jenkins Builder (102) Gerrit-Reviewer: Max Gerrit-Reviewer: Pau Espin Pedrol Gerrit-Comment-Date: Tue, 12 Mar 2019 12:14:32 + Gerrit-HasComments: No Gerrit-HasLabels: Yes
Change in libosmo-netif[master]: amr: be sure result of osmo_amr_bwe_to_oa() fits into int buf
Max has posted comments on this change. ( https://gerrit.osmocom.org/13211 ) Change subject: amr: be sure result of osmo_amr_bwe_to_oa() fits into int buf .. Patch Set 1: Code-Review+1 -- To view, visit https://gerrit.osmocom.org/13211 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-netif Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I4d7ac570a0b48368a82183673c46bca5f235f228 Gerrit-Change-Number: 13211 Gerrit-PatchSet: 1 Gerrit-Owner: dexter Gerrit-Reviewer: Jenkins Builder (102) Gerrit-Reviewer: Max Gerrit-Comment-Date: Tue, 12 Mar 2019 11:29:43 + Gerrit-HasComments: No Gerrit-HasLabels: Yes
Change in libosmo-netif[master]: amr: be sure result of osmo_amr_bwe_to_oa() fits into int buf
dexter has uploaded this change for review. ( https://gerrit.osmocom.org/13211 Change subject: amr: be sure result of osmo_amr_bwe_to_oa() fits into int buf .. amr: be sure result of osmo_amr_bwe_to_oa() fits into int buf osmo_amr_bwe_to_oa() uses an internal buffer with static size to store intermediate results. The buffer is large enough for any real world situation, but the check that tests if the result would fit into the internal buffer is incorrect. It checks if there is enough room for the existing payload, but does not include the expected growth of the payload. Eventually the buffer could be overrun by one byte if one would put a 256 byte long AMR payload. Fixes: CID#195926 Change-Id: I4d7ac570a0b48368a82183673c46bca5f235f228 --- M src/amr.c 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/libosmo-netif refs/changes/11/13211/1 diff --git a/src/amr.c b/src/amr.c index 9b423e8..9c63f60 100644 --- a/src/amr.c +++ b/src/amr.c @@ -158,7 +158,7 @@ if (payload_len + 1 > payload_maxlen) return -1; - if (payload_len > sizeof(buf)) + if (payload_len + 1 > sizeof(buf)) return -1; buf[0] = payload[0] & 0xf0; -- To view, visit https://gerrit.osmocom.org/13211 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-netif Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I4d7ac570a0b48368a82183673c46bca5f235f228 Gerrit-Change-Number: 13211 Gerrit-PatchSet: 1 Gerrit-Owner: dexter