Change in osmo-pcu[master]: csn1: Properly verify CSN_BITMAP length

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

pespin gerrit-no-reply at lists.osmocom.org
Thu Mar 26 19:51:48 UTC 2020


pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-pcu/+/17632 )


Change subject: csn1: Properly verify CSN_BITMAP length
......................................................................

csn1: Properly verify CSN_BITMAP length

Change-Id: I9f7672b534f9345caff99095504749eebad25adb
---
M src/csn1.c
1 file changed, 16 insertions(+), 4 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-pcu refs/changes/32/17632/1

diff --git a/src/csn1.c b/src/csn1.c
index 1fd094f..c9c8cdd 100644
--- a/src/csn1.c
+++ b/src/csn1.c
@@ -424,6 +424,10 @@
 
         if (no_of_bits > 0)
         {
+          if (no_of_bits > remaining_bits_len)
+          {
+            return ProcessError(readIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr);
+          }
 
           if (no_of_bits <= 32)
           {
@@ -451,7 +455,6 @@
           }
 
           remaining_bits_len -= no_of_bits;
-          assert(remaining_bits_len >= 0);
           bit_offset += no_of_bits;
         }
         /* bitmap was successfully extracted or it was empty */
@@ -876,6 +879,10 @@
 
             if (no_of_bits > 0)
             {
+              if (no_of_bits > remaining_bits_len)
+              {
+                return ProcessError(readIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr);
+              }
 
               if (no_of_bits <= 32)
               {
@@ -896,7 +903,6 @@
               }
 
               remaining_bits_len -= no_of_bits;
-              assert(remaining_bits_len >= 0);
               bit_offset += no_of_bits;
             }
             /* bitmap was successfully extracted or it was empty */
@@ -1737,6 +1743,10 @@
 
         if (no_of_bits > 0)
         {
+          if (no_of_bits > remaining_bits_len)
+          {
+            return ProcessError(writeIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr);
+          }
 
           if (no_of_bits <= 32)
           {
@@ -1762,7 +1772,6 @@
           }
 
           remaining_bits_len -= no_of_bits;
-          assert(remaining_bits_len >= 0);
           bit_offset += no_of_bits;
         }
         /* bitmap was successfully extracted or it was empty */
@@ -2153,6 +2162,10 @@
 
             if (no_of_bits > 0)
             {
+              if (no_of_bits > remaining_bits_len)
+              {
+                return ProcessError(writeIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr);
+              }
 
               if (no_of_bits <= 32)
               {
@@ -2172,7 +2185,6 @@
               }
 
               remaining_bits_len -= no_of_bits;
-              assert(remaining_bits_len >= 0);
               bit_offset += no_of_bits;
             }
             /* bitmap was successfully extracted or it was empty */

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-pcu/+/17632
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-pcu
Gerrit-Branch: master
Gerrit-Change-Id: I9f7672b534f9345caff99095504749eebad25adb
Gerrit-Change-Number: 17632
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200326/e4519209/attachment.htm>


More information about the gerrit-log mailing list