Change in osmo-pcu[master]: csn1: fix M_CHOICE: restirct maximum length of the choice list

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

fixeria gerrit-no-reply at lists.osmocom.org
Mon May 25 08:51:35 UTC 2020 

fixeria has submitted this change. ( https://gerrit.osmocom.org/c/osmo-pcu/+/18430 )

Change subject: csn1: fix M_CHOICE: restirct maximum length of the choice list
......................................................................

csn1: fix M_CHOICE: restirct maximum length of the choice list

The current implementation is not capable of handling more than
256 (UCHAR_MAX) selectors in the choice list. Let's document
this and add a guard check to the M_CHOICE handler.

Change-Id: I40c3c5b9be892804c6cd71cbb907af469ce5d769
---
M src/csn1.c
M src/csn1.h
2 files changed, 4 insertions(+), 1 deletion(-)

Approvals:
  Jenkins Builder: Verified
  laforge: Looks good to me, approved
  pespin: Looks good to me, approved



diff --git a/src/csn1.c b/src/csn1.c
index 3db1e13..3347a64 100644
--- a/src/csn1.c
+++ b/src/csn1.c
@@ -495,6 +495,8 @@
         /* Make sure that the list of choice items is not empty */
         if (!count)
           return ProcessError(readIndex, "csnStreamDecoder", CSN_ERROR_IN_SCRIPT, pDescr);
+        else if (count > 255) /* We can handle up to 256 (UCHAR_MAX) selectors */
+          return ProcessError(readIndex, "csnStreamDecoder", CSN_ERROR_IN_SCRIPT, pDescr);
 
         while (count > 0)
         {
diff --git a/src/csn1.h b/src/csn1.h
index d178ada..7eef5c8 100644
--- a/src/csn1.h
+++ b/src/csn1.h
@@ -490,7 +490,8 @@
  * is the part of the message.  In the CSN_CHOICE case, this rule does not
  * apply. There is free but predefined mapping of the element of the union and
  * the value which addresses this element.
- * The value of the address is called a selector.
+ * The value of the address is called a selector. Up to 256 (UCHAR_MAX) unique
+ * selectors can be handled, longer choice list would cause CSN_ERROR_IN_SCRIPT.
  * After unpacking, this value is then converted to the sequential number of the
  * element in the union and stored in the UnionType variable.
  *      Par1: C structure name

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-pcu/+/18430
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-pcu
Gerrit-Branch: master
Gerrit-Change-Id: I40c3c5b9be892804c6cd71cbb907af469ce5d769
Gerrit-Change-Number: 18430
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <axilirator at gmail.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <axilirator at gmail.com>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200525/1e4b1bed/attachment.htm>

More information about the gerrit-log mailing list