This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Harald Welte gerrit-no-reply at lists.osmocom.orgReview at https://gerrit.osmocom.org/7840 prevent integer underflow in ipa_ccm_make_id_resp_from_req() don't blindly trust the tag-length value in an IPA CCM ID GET message. This could result in a remotely-triggered integer underflow. Change-Id: I4723361e1094b358310541a7dc4c5c921c778a15 --- M src/gsm/ipa.c 1 file changed, 6 insertions(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/40/7840/1 diff --git a/src/gsm/ipa.c b/src/gsm/ipa.c index e03f615..0c7aaad 100644 --- a/src/gsm/ipa.c +++ b/src/gsm/ipa.c @@ -328,7 +328,12 @@ ies[num_ies++] = t_tag; cur += t_len; - len -= t_len; + /* prevent any unsigned integer underflow due to somebody sending us + * messages with wrong length values */ + if (len <= t_len) + len -= t_len; + else + len = 0; } return ipa_ccm_make_id_resp(dev, ies, num_ies); } -- To view, visit https://gerrit.osmocom.org/7840 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I4723361e1094b358310541a7dc4c5c921c778a15 Gerrit-PatchSet: 1 Gerrit-Project: libosmocore Gerrit-Branch: master Gerrit-Owner: Harald Welte <laforge at gnumonks.org>