Change in libosmocore[master]: gsm48_decode_bcd_number2(): fix input len check

Harald Welte gerrit-no-reply at lists.osmocom.org
Sun May 5 16:23:42 UTC 2019


Harald Welte has submitted this change and it was merged. ( https://gerrit.osmocom.org/13815 )

Change subject: gsm48_decode_bcd_number2(): fix input len check
......................................................................

gsm48_decode_bcd_number2(): fix input len check

The input_len argument for gsm48_decode_bcd_number2() includes the BCD length
*and* the length byte itself, so add the missing +1.

Also clarify the API doc for the input_len argument.

Change-Id: I87599641325c04aae2be224ec350b1a145039528
---
M src/gsm/gsm48_ie.c
1 file changed, 3 insertions(+), 2 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/gsm/gsm48_ie.c b/src/gsm/gsm48_ie.c
index 049f5dc..0e5f253 100644
--- a/src/gsm/gsm48_ie.c
+++ b/src/gsm/gsm48_ie.c
@@ -80,7 +80,7 @@
  * \param[out] output  Caller-provided output buffer.
  * \param[in] output_len  sizeof(output).
  * \param[in] bcd_lv  Length-Value part of to-be-decoded IE.
- * \param[in] input_len  Size of the buffer to read the IE from.
+ * \param[in] input_len  Size of the bcd_lv buffer for bounds checking.
  * \param[in] h_len  Length of an optional header between L and V parts.
  * \return 0 in case of success, negative on error. Errors checked: no or too little input data, no or too little
  * output buffer size, IE length exceeds input data size, decoded number exceeds size of the output buffer. The output
@@ -97,7 +97,8 @@
 	if (input_len < 1)
 		return -EIO;
 	len = bcd_lv[0];
-	if (input_len < len)
+	/* len + 1: the BCD length plus the length byte itself must fit in the input buffer. */
+	if (input_len < len + 1)
 		return -EIO;
 	return gsm48_decode_bcd_number(output, output_len, bcd_lv, h_len);
 }

-- 
To view, visit https://gerrit.osmocom.org/13815
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I87599641325c04aae2be224ec350b1a145039528
Gerrit-Change-Number: 13815
Gerrit-PatchSet: 3
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder (1000002)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190505/0d1953c6/attachment.html>


More information about the gerrit-log mailing list