[MERGED] libosmo-sccp[master]: ipa_asp_fsm: Prevent against integer underflow

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Tue Apr 17 12:10:00 UTC 2018


Harald Welte has submitted this change and it was merged.

Change subject: ipa_asp_fsm: Prevent against integer underflow
......................................................................


ipa_asp_fsm: Prevent against integer underflow

Ensure we don't pass a negative integer as "unsigned int len" to
ipa_asp_fsm_wait_id_get().  This could result in a remotely-triggered
integer underflow.

Change-Id: Idf9a5c0938e6ae6d47bf85ddfec3306fa3ddb3ce
---
M src/xua_asp_fsm.c
1 file changed, 5 insertions(+), 0 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/xua_asp_fsm.c b/src/xua_asp_fsm.c
index e81f0af..93c76cb 100644
--- a/src/xua_asp_fsm.c
+++ b/src/xua_asp_fsm.c
@@ -881,6 +881,11 @@
 		data_len = msgb_l2len(msg_get)-1;
 		LOGPFSM(fi, "Received IPA CCM IDENTITY REQUEST for IEs %s\n",
 			osmo_hexdump(req_data, data_len));
+		/* avoid possible unsigned integer underflow, as ipa_ccm_make_id_resp_from_req()
+		 * expects an unsigned integer, and in case of a zero-length L2 message we might
+		 * have data_len == -1 here */
+		if (data_len < 0)
+			data_len = 0;
 		/* Send ID_RESP to server */
 		msg_resp = ipa_ccm_make_id_resp_from_req(iafp->ipa_unit, req_data, data_len);
 		if (!msg_resp) {

-- 
To view, visit https://gerrit.osmocom.org/7841
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Idf9a5c0938e6ae6d47bf85ddfec3306fa3ddb3ce
Gerrit-PatchSet: 1
Gerrit-Project: libosmo-sccp
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder



More information about the gerrit-log mailing list