This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
pespin gerrit-no-reply at lists.osmocom.orgpespin has submitted this change and it was merged. ( https://gerrit.osmocom.org/c/osmo-mgw/+/14966 )
Change subject: Fix return variable of strtoul()
......................................................................
Fix return variable of strtoul()
Return variable specified by strtoul() is "unsigned long int". If
"unsigned int" is used, according to Coverity the return value can never
be ULONG_MAX:
CID 202173: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
"pt == 18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */" is always false regardless of the values of its operands. This occurs as the logical second operand of "&&".
Furthermore, PT is 7 bit in RTP header [1], so let's avoid accepting
incorrect values.
[1] https://tools.ietf.org/html/rfc3550#section-5
Fixes: c5c1430a1c00ad86855ffff3df3f106bb2bce1d5 ("Catch unsigned integer MGCP parsing errors with strtoul")
Fixes: Coverity CID#202172
FIxes: Coverity CID#202173
Change-Id: Ice9eee6a252fab73dbab5ebf3cfc83c1b354fd08
---
M src/libosmo-mgcp-client/mgcp_client.c
M src/libosmo-mgcp/mgcp_sdp.c
2 files changed, 8 insertions(+), 2 deletions(-)
Approvals:
Jenkins Builder: Verified
daniel: Looks good to me, but someone else must approve
laforge: Looks good to me, approved
diff --git a/src/libosmo-mgcp-client/mgcp_client.c b/src/libosmo-mgcp-client/mgcp_client.c
index 910289e..3f8e780 100644
--- a/src/libosmo-mgcp-client/mgcp_client.c
+++ b/src/libosmo-mgcp-client/mgcp_client.c
@@ -268,7 +268,7 @@
{
char *pt_str;
char *pt_end;
- unsigned int pt;
+ unsigned long int pt;
unsigned int count = 0;
unsigned int i;
@@ -298,6 +298,9 @@
pt_str == pt_end)
goto response_parse_failure_pt;
+ if (pt >> 7) /* PT is 7 bit field, higher values not allowed */
+ goto response_parse_failure_pt;
+
/* Do not allow duplicate payload types */
for (i = 0; i < count; i++)
if (r->codecs[i] == pt)
diff --git a/src/libosmo-mgcp/mgcp_sdp.c b/src/libosmo-mgcp/mgcp_sdp.c
index 56fc611..01e7968 100644
--- a/src/libosmo-mgcp/mgcp_sdp.c
+++ b/src/libosmo-mgcp/mgcp_sdp.c
@@ -132,7 +132,7 @@
char *str_ptr;
char *pt_str;
char *pt_end;
- unsigned int pt;
+ unsigned long int pt;
unsigned int count = 0;
unsigned int i;
@@ -163,6 +163,9 @@
pt_str == pt_end)
goto error;
+ if (pt >> 7) /* PT is 7 bit field, higher values not allowed */
+ goto error;
+
/* Do not allow duplicate payload types */
for (i = 0; i < count; i++)
if (codecs[i].payload_type == pt)
--
To view, visit https://gerrit.osmocom.org/c/osmo-mgw/+/14966
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-mgw
Gerrit-Branch: master
Gerrit-Change-Id: Ice9eee6a252fab73dbab5ebf3cfc83c1b354fd08
Gerrit-Change-Number: 14966
Gerrit-PatchSet: 2
Gerrit-Owner: pespin <pespin at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: daniel <dwillmann at sysmocom.de>
Gerrit-Reviewer: laforge <laforge at gnumonks.org>
Gerrit-Reviewer: osmith <osmith at sysmocom.de>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190730/6432a061/attachment.htm>