This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
laforge gerrit-no-reply at lists.osmocom.orglaforge has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmocore/+/15370 Change subject: cbsp: Fix endless loop iteration when decoding cell list IEs ...................................................................... cbsp: Fix endless loop iteration when decoding cell list IEs The CBSP code assumed that gsm0808_decode_cell_id_u() would return the number of bytes it has consumed/parsed. But it actually always returns '0', whcih makes us run in an endless loop :( Change-Id: I5758af4ec11a827d4b888a3a16c4ec22de90a7d6 --- M include/osmocom/gsm/gsm0808_utils.h M src/gsm/cbsp.c M src/gsm/gsm0808_utils.c 3 files changed, 26 insertions(+), 4 deletions(-) git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/70/15370/1 diff --git a/include/osmocom/gsm/gsm0808_utils.h b/include/osmocom/gsm/gsm0808_utils.h index 76db2b6..ccdf5ed 100644 --- a/include/osmocom/gsm/gsm0808_utils.h +++ b/include/osmocom/gsm/gsm0808_utils.h @@ -95,6 +95,7 @@ int gsm0808_cell_id_to_cgi(struct osmo_cell_global_id *cgi, const struct gsm0808_cell_id *cid); void gsm0808_msgb_put_cell_id_u(struct msgb *msg, enum CELL_IDENT id_discr, const union gsm0808_cell_id_u *u); int gsm0808_decode_cell_id_u(union gsm0808_cell_id_u *out, enum CELL_IDENT discr, const uint8_t *buf, unsigned int len); +int gsm0808_cell_id_size(enum CELL_IDENT discr); uint8_t gsm0808_enc_cause(struct msgb *msg, uint16_t cause); uint8_t gsm0808_enc_aoip_trasp_addr(struct msgb *msg, diff --git a/src/gsm/cbsp.c b/src/gsm/cbsp.c index 84b9235..c13be61 100644 --- a/src/gsm/cbsp.c +++ b/src/gsm/cbsp.c @@ -515,7 +515,7 @@ osmo_cbsp_errstr = "cell list: error decoding cell_id_union"; return rc; } - cur += rc; + cur += gsm0808_cell_id_size(cl->id_discr); llist_add_tail(&ent->list, &cl->list); } return 0; @@ -538,7 +538,7 @@ osmo_cbsp_errstr = "fail list: error decoding cell_id_union"; return rc; } - cur += rc; + cur += gsm0808_cell_id_size(ent->id_discr); ent->cause = *cur++; llist_add_tail(&ent->list, fl); } @@ -562,7 +562,7 @@ osmo_cbsp_errstr = "load list: error decoding cell_id_union"; return rc; } - cur += rc; + cur += gsm0808_cell_id_size(ll->id_discr); if (cur + 2 > buf + len) { talloc_free(ent); osmo_cbsp_errstr = "load list: truncated IE"; @@ -592,7 +592,7 @@ osmo_cbsp_errstr = "completed list: error decoding cell_id_union"; return rc; } - cur += rc; + cur += gsm0808_cell_id_size(cl->id_discr); if (cur + 3 > buf + len) { talloc_free(ent); osmo_cbsp_errstr = "completed list: truncated IE"; diff --git a/src/gsm/gsm0808_utils.c b/src/gsm/gsm0808_utils.c index 364a04f..7416d8f 100644 --- a/src/gsm/gsm0808_utils.c +++ b/src/gsm/gsm0808_utils.c @@ -767,6 +767,27 @@ return (int)(elem - old_elem); } +/* Return the size of the value part of a cell identifier of given type */ +int gsm0808_cell_id_size(enum CELL_IDENT discr) +{ + switch (discr) { + case CELL_IDENT_WHOLE_GLOBAL: + return 7; + case CELL_IDENT_LAC_AND_CI: + return 4; + case CELL_IDENT_CI: + return 2; + case CELL_IDENT_LAI_AND_LAC: + return 5; + case CELL_IDENT_LAC: + return 2; + case CELL_IDENT_BSS: + case CELL_IDENT_NO_CELL: + return 0; + default: + return -EINVAL; + } +} /*! Decode a single GSM 08.08 Cell ID list element payload * \param[out] out caller-provided output union * \param[in] discr Cell ID discriminator describing type to be decoded -- To view, visit https://gerrit.osmocom.org/c/libosmocore/+/15370 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmocore Gerrit-Branch: master Gerrit-Change-Id: I5758af4ec11a827d4b888a3a16c4ec22de90a7d6 Gerrit-Change-Number: 15370 Gerrit-PatchSet: 1 Gerrit-Owner: laforge <laforge at gnumonks.org> Gerrit-MessageType: newchange -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190831/afc0da5c/attachment.htm>