[MERGED] osmo-msc[master]: libmsc: gsm340_gen_oa_sub() may return negative value

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Neels Hofmeyr gerrit-no-reply at lists.osmocom.org
Sun Aug 27 00:34:52 UTC 2017


Neels Hofmeyr has submitted this change and it was merged.

Change subject: libmsc: gsm340_gen_oa_sub() may return negative value
......................................................................


libmsc: gsm340_gen_oa_sub() may return negative value

gsm340_gen_oa() returns a negative value if the output buffer that the
caller passes is too small, so we have to check the return value of this
function.

Fixes: CID 174178
Fixes: CID 174179
Change-Id: I47215d7d89771730a7f84efa8aeeb187a0911fdb
---
M src/libmsc/gsm_04_11.c
1 file changed, 9 insertions(+), 2 deletions(-)

Approvals:
  Neels Hofmeyr: Looks good to me, approved



diff --git a/src/libmsc/gsm_04_11.c b/src/libmsc/gsm_04_11.c
index 261e5cd..eede74c 100644
--- a/src/libmsc/gsm_04_11.c
+++ b/src/libmsc/gsm_04_11.c
@@ -215,9 +215,9 @@
 {
 	uint8_t *smsp;
 	uint8_t oa[12];	/* max len per 03.40 */
-	uint8_t oa_len = 0;
 	uint8_t octet_len;
 	unsigned int old_msg_len = msg->len;
+	int oa_len;
 
 	/* generate first octet with masked bits */
 	smsp = msgb_put(msg, 1);
@@ -235,6 +235,9 @@
 
 	/* generate originator address */
 	oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->src);
+	if (oa_len < 0)
+		return -ENOSPC;
+
 	smsp = msgb_put(msg, oa_len);
 	memcpy(smsp, oa, oa_len);
 
@@ -284,9 +287,9 @@
 					     struct gsm_sms *sms)
 {
 	unsigned int old_msg_len = msg->len;
-	uint8_t oa_len = 0;
 	uint8_t oa[12];	/* max len per 03.40 */
 	uint8_t *smsp;
+	int oa_len;
 
 	/* generate first octet with masked bits */
 	smsp = msgb_put(msg, 1);
@@ -298,8 +301,12 @@
 	/* TP-MR (message reference) */
 	smsp = msgb_put(msg, 1);
 	*smsp = sms->msg_ref;
+
 	/* generate recipient address */
 	oa_len = gsm340_gen_oa_sub(oa, sizeof(oa), &sms->dst);
+	if (oa_len < 0)
+		return -ENOSPC;
+
 	smsp = msgb_put(msg, oa_len);
 	memcpy(smsp, oa, oa_len);
 

-- 
To view, visit https://gerrit.osmocom.org/3651
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I47215d7d89771730a7f84efa8aeeb187a0911fdb
Gerrit-PatchSet: 2
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Pablo Neira Ayuso <pablo at gnumonks.org>



More information about the gerrit-log mailing list