Change in ...osmo-msc[master]: libmsc/db.c: fix potential integer overflow

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

fixeria gerrit-no-reply at lists.osmocom.org
Tue Jun 4 20:53:40 UTC 2019


Hello pespin, Neels Hofmeyr, Harald Welte, Jenkins Builder, 

I'd like you to reexamine a change. Please visit

    https://gerrit.osmocom.org/c/osmo-msc/+/13470

to look at the new patch set (#9).

Change subject: libmsc/db.c: fix potential integer overflow
......................................................................

libmsc/db.c: fix potential integer overflow

The value of 'sms->user_data_len' is fetched from the database:

  sms->user_data_len = dbi_result_get_field_length(result, "user_data");

and this is where the problem is. As per the libdbi's documentation
(see 3.5.3), dbi_result_get_field_length() returns the length in
bytes of the value stored in the specified field:

  unsigned int dbi_result_get_field_length(dbi_result Result,
                                           const char *fieldname)

so 'unsigned int' is assigned to 'uint8_t', what could lead to an
integer overflow if the value is grather than 0xff. As a result,
if the database for some reason does contain such odd TP-UD,
the truncation of 'user_data' would be done incorrectly.

Let's avoid such direct assignment, and use a separate variable.
Also, let's warn user if TP-UDL value is grether than 140, as
per 3GPP TS 03.40.

Change-Id: Ibbd588545e1a4817504c806a3d02cf59d5938ee2
Related: OS#3684
---
M src/libmsc/db.c
1 file changed, 27 insertions(+), 9 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/70/13470/9
-- 
To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/13470
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Change-Id: Ibbd588545e1a4817504c806a3d02cf59d5938ee2
Gerrit-Change-Number: 13470
Gerrit-PatchSet: 9
Gerrit-Owner: fixeria <axilirator at gmail.com>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: fixeria <axilirator at gmail.com>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: newpatchset
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190604/2cb0f4a5/attachment.htm>


More information about the gerrit-log mailing list