This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
dexter gerrit-no-reply at lists.osmocom.orgdexter has uploaded this change for review. ( https://gerrit.osmocom.org/13306 Change subject: osmo_bsc_bssap: check bssamp length field ...................................................................... osmo_bsc_bssap: check bssamp length field At the moment the length field of the bssmap header is not parsed. Instead the length is computed out of the known header length and the number of bytes received. This is prone to error, lets make sure that extranous data at the end of a message is ignored by parsing the bssmap length correctly. Change-Id: Idef2e783d2377a2ad1f697ea4d26491a32b3e549 Related: OS#3806 --- M src/osmo-bsc/osmo_bsc_bssap.c 1 file changed, 30 insertions(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/06/13306/1 diff --git a/src/osmo-bsc/osmo_bsc_bssap.c b/src/osmo-bsc/osmo_bsc_bssap.c index 85aab22..4c7bcb3 100644 --- a/src/osmo-bsc/osmo_bsc_bssap.c +++ b/src/osmo-bsc/osmo_bsc_bssap.c @@ -1081,6 +1081,35 @@ return 0; } +/* Extract and verify the length information from the BSSMAP header. */ +static unsigned int bssmap_msg_len(struct msgb *msg, unsigned int length) +{ + unsigned int expected_len; + unsigned int calculated_len; + struct bssmap_header *bssmap_header; + + bssmap_header = (struct bssmap_header *)msg->l3h; + + calculated_len = length - sizeof(struct bssmap_header); + expected_len = bssmap_header->length; + + /* In case of contradictory length information, decide for the + * shorter length */ + if (calculated_len > expected_len) { + LOGP(DMSC, LOGL_NOTICE, + "BSSMAP message contains extranous data, expected %u bytes, got %u bytes, truncated\n", + expected_len, calculated_len); + return expected_len; + } else if (calculated_len < expected_len) { + LOGP(DMSC, LOGL_NOTICE, + "Short BSSMAP message, expected %u bytes, got %u bytes\n", + expected_len, calculated_len); + return calculated_len; + } + + return expected_len; +} + int bsc_handle_dt(struct gsm_subscriber_connection *conn, struct msgb *msg, unsigned int len) { @@ -1093,7 +1122,7 @@ switch (msg->l3h[0]) { case BSSAP_MSG_BSS_MANAGEMENT: msg->l4h = &msg->l3h[sizeof(struct bssmap_header)]; - bssmap_rcvmsg_dt1(conn, msg, len - sizeof(struct bssmap_header)); + bssmap_rcvmsg_dt1(conn, msg, bssmap_msg_len(msg, len)); break; case BSSAP_MSG_DTAP: dtap_rcvmsg(conn, msg, len); -- To view, visit https://gerrit.osmocom.org/13306 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bsc Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: Idef2e783d2377a2ad1f697ea4d26491a32b3e549 Gerrit-Change-Number: 13306 Gerrit-PatchSet: 1 Gerrit-Owner: dexter <pmaier at sysmocom.de> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190318/227d575d/attachment.htm>