Change in osmo-msc[master]: libmsc/gsm_04_08.c: fix sizeof(pointer) instead of sizeof(struct)

[Vadim Yanitskiy]

Vadim Yanitskiy has uploaded this change for review. ( https://gerrit.osmocom.org/13907


Change subject: libmsc/gsm_04_08.c: fix sizeof(pointer) instead of sizeof(struct)
......................................................................

libmsc/gsm_04_08.c: fix sizeof(pointer) instead of sizeof(struct)

In gsm48_rx_mm_serv_req() we need to make sure that a given message
buffer is large enough to contain both 'gsm48_hdr' and
'gsm48_service_request' structures.

Comparing msg->data_len with size of pointer if wrong because:

  - we actually need to compare with size of struct(s),
  - we need msgb_l3len(), not length of the whole buffer.

Change-Id: I6e7454d7a6f63fd5a0e12fb90d8c58688da0951e
---
M src/libmsc/gsm_04_08.c
1 file changed, 19 insertions(+), 12 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/07/13907/1

diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c
index 32a7b7f..ac00025 100644
--- a/src/libmsc/gsm_04_08.c
+++ b/src/libmsc/gsm_04_08.c
@@ -738,28 +738,35 @@
 {
 	struct gsm_network *net = conn->network;
 	uint8_t mi_type;
-	struct gsm48_hdr *gh = msgb_l3(msg);
-	struct gsm48_service_request *req =
-			(struct gsm48_service_request *)gh->data;
+	struct gsm48_hdr *gh;
+	struct gsm48_service_request *req;
 	/* unfortunately in Phase1 the classmark2 length is variable */
-	uint8_t classmark2_len = gh->data[1];
-	uint8_t *classmark2 = gh->data+2;
-	uint8_t *mi_p = classmark2 + classmark2_len;
-	uint8_t mi_len = *mi_p;
-	uint8_t *mi = mi_p + 1;
+	uint8_t classmark2_len;
+	uint8_t *classmark2;
+	uint8_t *mi_p;
+	uint8_t mi_len;
+	uint8_t *mi;
 	struct osmo_location_area_id lai;
 	bool is_utran;
 
 	lai.plmn = conn->network->plmn;
 	lai.lac = conn->lac;
 
-	if (msg->data_len < sizeof(struct gsm48_service_request*)) {
+	/* Make sure that both header and CM Service Request fit into the buffer */
+	if (msgb_l3len(msg) < sizeof(*gh) + sizeof(*req)) {
 		LOG_RAN_CONN(conn, LOGL_ERROR, "Rx CM SERVICE REQUEST: wrong message size (%u < %zu)\n",
-			     msg->data_len, sizeof(struct gsm48_service_request*));
-		return msc_gsm48_tx_mm_serv_rej(conn,
-						GSM48_REJECT_INCORRECT_MESSAGE);
+			     msgb_l3len(msg), sizeof(*gh) + sizeof(*req));
+		return msc_gsm48_tx_mm_serv_rej(conn, GSM48_REJECT_INCORRECT_MESSAGE);
 	}
 
+	gh = (struct gsm48_hdr *) msgb_l3(msg);
+	req = (struct gsm48_service_request *) gh->data;
+	classmark2_len = gh->data[1];
+	classmark2 = gh->data + 2;
+	mi_p = classmark2 + classmark2_len;
+	mi_len = *mi_p;
+	mi = mi_p + 1;
+
 	if (msg->data_len < req->mi_len + 6) {
 		LOG_RAN_CONN(conn, LOGL_ERROR, "Rx CM SERVICE REQUEST: message does not fit in packet\n");
 		return msc_gsm48_tx_mm_serv_rej(conn,

-- 
To view, visit https://gerrit.osmocom.org/13907
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I6e7454d7a6f63fd5a0e12fb90d8c58688da0951e
Gerrit-Change-Number: 13907
Gerrit-PatchSet: 1
Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190508/585aaf8a/attachment.htm>