This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Vadim Yanitskiy gerrit-no-reply at lists.osmocom.orgHello Jenkins Builder,
I'd like you to reexamine a change. Please visit
https://gerrit.osmocom.org/7630
to look at the new patch set (#2).
gsm0480: drop messages with incorrect data length
If either an INVOKE, either a RETURN_RESULT component has the
data with incorrect length (see Annex A, 3GPP TS 04.80), the
whole message is probably incorrect.
Let's drop such messages instead of silent truncation.
Change-Id: I2a169b0b84aa26ea2521edd55ff005c27ae6d808
---
M src/gsm/gsm0480.c
1 file changed, 12 insertions(+), 9 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/30/7630/2
diff --git a/src/gsm/gsm0480.c b/src/gsm/gsm0480.c
index 38082b3..636f267 100644
--- a/src/gsm/gsm0480.c
+++ b/src/gsm/gsm0480.c
@@ -552,8 +552,12 @@
if (num_chars > length - 2)
return 0;
- if (num_chars > GSM0480_USSD_OCTET_STRING_LEN)
- num_chars = GSM0480_USSD_OCTET_STRING_LEN;
+ /* Drop messages with incorrect length */
+ if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) {
+ LOGP(DLGLOBAL, LOGL_ERROR, "Incorrect USS_DATA data length=%u, "
+ "dropping message", num_chars);
+ return 0;
+ }
memcpy(req->ussd_text, uss_req_data + 2, num_chars);
@@ -588,9 +592,12 @@
/* Get the amount of bytes */
num_chars = uss_req_data[6];
- /* Prevent a mobile-originated buffer-overrun! */
- if (num_chars > GSM0480_USSD_OCTET_STRING_LEN)
- num_chars = GSM0480_USSD_OCTET_STRING_LEN;
+ /* Drop messages with incorrect length */
+ if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) {
+ LOGP(DLGLOBAL, LOGL_ERROR, "Incorrect USS_REQ data length=%u, "
+ "dropping message", num_chars);
+ return 0;
+ }
/* Copy the data 'as is' */
memcpy(req->ussd_data, uss_req_data + 7, num_chars);
@@ -605,10 +612,6 @@
if (dcs == 0x0F) {
/* Calculate the amount of 7-bit characters */
num_chars = (num_chars * 8) / 7;
-
- /* Prevent a mobile-originated buffer-overrun! */
- if (num_chars > GSM0480_USSD_7BIT_STRING_LEN)
- num_chars = GSM0480_USSD_7BIT_STRING_LEN;
gsm_7bit_decode_n_ussd((char *)req->ussd_text,
sizeof(req->ussd_text), &(uss_req_data[7]), num_chars);
--
To view, visit https://gerrit.osmocom.org/7630
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I2a169b0b84aa26ea2521edd55ff005c27ae6d808
Gerrit-PatchSet: 2
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder