Change in osmo-pcu[master]: csn1: fix csnStreamEncoder(): always check the choice index

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

fixeria gerrit-no-reply at lists.osmocom.org
Mon May 25 08:51:36 UTC 2020 

fixeria has submitted this change. ( https://gerrit.osmocom.org/c/osmo-pcu/+/18432 )

Change subject: csn1: fix csnStreamEncoder(): always check the choice index
......................................................................

csn1: fix csnStreamEncoder(): always check the choice index

It's so easy to pick an out of bounds value otherwise...

Change-Id: I12f5ab739b97f1f3b5d4bed1b5a4a661c879e89f
---
M src/csn1.c
1 file changed, 6 insertions(+), 4 deletions(-)

Approvals:
  Jenkins Builder: Verified
  laforge: Looks good to me, but someone else must approve
  pespin: Looks good to me, approved



diff --git a/src/csn1.c b/src/csn1.c
index 700c342..5b60399 100644
--- a/src/csn1.c
+++ b/src/csn1.c
@@ -1803,7 +1803,6 @@
       case CSN_CHOICE:
       {
         gint16 count = pDescr->i;
-        guint8 i     = 0;
         const CSN_ChoiceElement_t* pChoice = (const CSN_ChoiceElement_t*) pDescr->descr.ptr;
 
         /* Make sure that the list of choice items is not empty */
@@ -1812,9 +1811,12 @@
         else if (count > 255) /* We can handle up to 256 (UCHAR_MAX) selectors */
           return ProcessError(writeIndex, "csnStreamEncoder", CSN_ERROR_IN_SCRIPT, pDescr);
 
-        pui8          = pui8DATA(data, pDescr->offset);
-        i = *pui8;
-        pChoice += i;
+        /* Make sure that choice index is not out of range */
+        pui8 = pui8DATA(data, pDescr->offset);
+        if (*pui8 >= count)
+          return ProcessError(writeIndex, "csnStreamEncoder", CSN_ERROR_INVALID_UNION_INDEX, pDescr);
+
+        pChoice += *pui8;
         guint8 no_of_bits = pChoice->bits;
         guint8 value = pChoice->value;
         LOGPC(DCSN1, LOGL_DEBUG, "%s = %u | ", pChoice->descr.sz , (unsigned)value);

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-pcu/+/18432
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-pcu
Gerrit-Branch: master
Gerrit-Change-Id: I12f5ab739b97f1f3b5d4bed1b5a4a661c879e89f
Gerrit-Change-Number: 18432
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <axilirator at gmail.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <axilirator at gmail.com>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200525/fa20ab5c/attachment.htm>

More information about the gerrit-log mailing list