This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
pespin gerrit-no-reply at lists.osmocom.orgpespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-pcu/+/17632 ) Change subject: csn1: Properly verify CSN_BITMAP length ...................................................................... csn1: Properly verify CSN_BITMAP length Change-Id: I9f7672b534f9345caff99095504749eebad25adb --- M src/csn1.c 1 file changed, 16 insertions(+), 4 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-pcu refs/changes/32/17632/1 diff --git a/src/csn1.c b/src/csn1.c index 1fd094f..c9c8cdd 100644 --- a/src/csn1.c +++ b/src/csn1.c @@ -424,6 +424,10 @@ if (no_of_bits > 0) { + if (no_of_bits > remaining_bits_len) + { + return ProcessError(readIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr); + } if (no_of_bits <= 32) { @@ -451,7 +455,6 @@ } remaining_bits_len -= no_of_bits; - assert(remaining_bits_len >= 0); bit_offset += no_of_bits; } /* bitmap was successfully extracted or it was empty */ @@ -876,6 +879,10 @@ if (no_of_bits > 0) { + if (no_of_bits > remaining_bits_len) + { + return ProcessError(readIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr); + } if (no_of_bits <= 32) { @@ -896,7 +903,6 @@ } remaining_bits_len -= no_of_bits; - assert(remaining_bits_len >= 0); bit_offset += no_of_bits; } /* bitmap was successfully extracted or it was empty */ @@ -1737,6 +1743,10 @@ if (no_of_bits > 0) { + if (no_of_bits > remaining_bits_len) + { + return ProcessError(writeIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr); + } if (no_of_bits <= 32) { @@ -1762,7 +1772,6 @@ } remaining_bits_len -= no_of_bits; - assert(remaining_bits_len >= 0); bit_offset += no_of_bits; } /* bitmap was successfully extracted or it was empty */ @@ -2153,6 +2162,10 @@ if (no_of_bits > 0) { + if (no_of_bits > remaining_bits_len) + { + return ProcessError(writeIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr); + } if (no_of_bits <= 32) { @@ -2172,7 +2185,6 @@ } remaining_bits_len -= no_of_bits; - assert(remaining_bits_len >= 0); bit_offset += no_of_bits; } /* bitmap was successfully extracted or it was empty */ -- To view, visit https://gerrit.osmocom.org/c/osmo-pcu/+/17632 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-pcu Gerrit-Branch: master Gerrit-Change-Id: I9f7672b534f9345caff99095504749eebad25adb Gerrit-Change-Number: 17632 Gerrit-PatchSet: 1 Gerrit-Owner: pespin <pespin at sysmocom.de> Gerrit-MessageType: newchange -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200326/e4519209/attachment.htm>