Change in osmo-pcu[master]: csn1: fix csnStreamEncoder(): also check length of the choice list

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

fixeria gerrit-no-reply at lists.osmocom.org
Sat May 23 12:31:16 UTC 2020 

fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-pcu/+/18431 )


Change subject: csn1: fix csnStreamEncoder(): also check length of the choice list
......................................................................

csn1: fix csnStreamEncoder(): also check length of the choice list

Similar checks are done in csnStreamDecoder(), so better check than sorry.

Change-Id: I441c716975905a37264efc8a76df92194f39c1fb
---
M src/csn1.c
1 file changed, 7 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-pcu refs/changes/31/18431/1

diff --git a/src/csn1.c b/src/csn1.c
index 3347a64..700c342 100644
--- a/src/csn1.c
+++ b/src/csn1.c
@@ -1802,10 +1802,16 @@
 
       case CSN_CHOICE:
       {
-        //gint16 count = pDescr->i;
+        gint16 count = pDescr->i;
         guint8 i     = 0;
         const CSN_ChoiceElement_t* pChoice = (const CSN_ChoiceElement_t*) pDescr->descr.ptr;
 
+        /* Make sure that the list of choice items is not empty */
+        if (!count)
+          return ProcessError(writeIndex, "csnStreamEncoder", CSN_ERROR_IN_SCRIPT, pDescr);
+        else if (count > 255) /* We can handle up to 256 (UCHAR_MAX) selectors */
+          return ProcessError(writeIndex, "csnStreamEncoder", CSN_ERROR_IN_SCRIPT, pDescr);
+
         pui8          = pui8DATA(data, pDescr->offset);
         i = *pui8;
         pChoice += i;

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-pcu/+/18431
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-pcu
Gerrit-Branch: master
Gerrit-Change-Id: I441c716975905a37264efc8a76df92194f39c1fb
Gerrit-Change-Number: 18431
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <axilirator at gmail.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200523/562f2525/attachment.htm>

More information about the gerrit-log mailing list