This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Stefan Sperling gerrit-no-reply at lists.osmocom.orgPatch Set 2: Code-Review-1 (2 comments) https://gerrit.osmocom.org/#/c/5424/2/src/libmsc/a_iface_bssap.c File src/libmsc/a_iface_bssap.c: Line 328: msg->l3h = msgb_put(msg, TLVP_LEN(&tp, GSM0808_IE_LAYER_3_INFORMATION)); msgb_put() will panic if the length value provided in the data packet exceeds the length of the message buffer. So this could be used as a DoS attack vector. Could we compare the length value from the packet to msgb_l3len() and goto fail if the length value is larger? Line 425: msg->l3h = msgb_put(msg, TLVP_LEN(&tp, GSM0808_IE_LAYER_3_MESSAGE_CONTENTS)); Same problem. -- To view, visit https://gerrit.osmocom.org/5424 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I28073efd5cff58cd212341bceee784caf08d5ad8 Gerrit-PatchSet: 2 Gerrit-Project: osmo-msc Gerrit-Branch: master Gerrit-Owner: Pau Espin Pedrol <pespin at sysmocom.de> Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: Pau Espin Pedrol <pespin at sysmocom.de> Gerrit-Reviewer: Stefan Sperling <ssperling at sysmocom.de> Gerrit-HasComments: Yes