This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Harald Welte gerrit-no-reply at lists.osmocom.orgReview at https://gerrit.osmocom.org/7841 ipa_asp_fsm: Prevent against integer underflow Ensure we don't pass a negative integer as "unsigned int len" to ipa_asp_fsm_wait_id_get(). This could result in a remotely-triggered integer underflow. Change-Id: Idf9a5c0938e6ae6d47bf85ddfec3306fa3ddb3ce --- M src/xua_asp_fsm.c 1 file changed, 5 insertions(+), 0 deletions(-) git pull ssh://gerrit.osmocom.org:29418/libosmo-sccp refs/changes/41/7841/1 diff --git a/src/xua_asp_fsm.c b/src/xua_asp_fsm.c index e81f0af..93c76cb 100644 --- a/src/xua_asp_fsm.c +++ b/src/xua_asp_fsm.c @@ -881,6 +881,11 @@ data_len = msgb_l2len(msg_get)-1; LOGPFSM(fi, "Received IPA CCM IDENTITY REQUEST for IEs %s\n", osmo_hexdump(req_data, data_len)); + /* avoid possible unsigned integer underflow, as ipa_ccm_make_id_resp_from_req() + * expects an unsigned integer, and in case of a zero-length L2 message we might + * have data_len == -1 here */ + if (data_len < 0) + data_len = 0; /* Send ID_RESP to server */ msg_resp = ipa_ccm_make_id_resp_from_req(iafp->ipa_unit, req_data, data_len); if (!msg_resp) { -- To view, visit https://gerrit.osmocom.org/7841 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Idf9a5c0938e6ae6d47bf85ddfec3306fa3ddb3ce Gerrit-PatchSet: 1 Gerrit-Project: libosmo-sccp Gerrit-Branch: master Gerrit-Owner: Harald Welte <laforge at gnumonks.org>