<p>Vadim Yanitskiy has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/13907">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">libmsc/gsm_04_08.c: fix sizeof(pointer) instead of sizeof(struct)<br><br>In gsm48_rx_mm_serv_req() we need to make sure that a given message<br>buffer is large enough to contain both 'gsm48_hdr' and<br>'gsm48_service_request' structures.<br><br>Comparing msg->data_len with size of pointer if wrong because:<br><br> - we actually need to compare with size of struct(s),<br> - we need msgb_l3len(), not length of the whole buffer.<br><br>Change-Id: I6e7454d7a6f63fd5a0e12fb90d8c58688da0951e<br>---<br>M src/libmsc/gsm_04_08.c<br>1 file changed, 19 insertions(+), 12 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/07/13907/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c</span><br><span>index 32a7b7f..ac00025 100644</span><br><span>--- a/src/libmsc/gsm_04_08.c</span><br><span>+++ b/src/libmsc/gsm_04_08.c</span><br><span>@@ -738,28 +738,35 @@</span><br><span> {</span><br><span> struct gsm_network *net = conn->network;</span><br><span> uint8_t mi_type;</span><br><span style="color: hsl(0, 100%, 40%);">- struct gsm48_hdr *gh = msgb_l3(msg);</span><br><span style="color: hsl(0, 100%, 40%);">- struct gsm48_service_request *req =</span><br><span style="color: hsl(0, 100%, 40%);">- (struct gsm48_service_request *)gh->data;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct gsm48_hdr *gh;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct gsm48_service_request *req;</span><br><span> /* unfortunately in Phase1 the classmark2 length is variable */</span><br><span style="color: hsl(0, 100%, 40%);">- uint8_t classmark2_len = gh->data[1];</span><br><span style="color: hsl(0, 100%, 40%);">- uint8_t *classmark2 = gh->data+2;</span><br><span style="color: hsl(0, 100%, 40%);">- uint8_t *mi_p = classmark2 + classmark2_len;</span><br><span style="color: hsl(0, 100%, 40%);">- uint8_t mi_len = *mi_p;</span><br><span style="color: hsl(0, 100%, 40%);">- uint8_t *mi = mi_p + 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t classmark2_len;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t *classmark2;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t *mi_p;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t mi_len;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t *mi;</span><br><span> struct osmo_location_area_id lai;</span><br><span> bool is_utran;</span><br><span> </span><br><span> lai.plmn = conn->network->plmn;</span><br><span> lai.lac = conn->lac;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (msg->data_len < sizeof(struct gsm48_service_request*)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Make sure that both header and CM Service Request fit into the buffer */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (msgb_l3len(msg) < sizeof(*gh) + sizeof(*req)) {</span><br><span> LOG_RAN_CONN(conn, LOGL_ERROR, "Rx CM SERVICE REQUEST: wrong message size (%u < %zu)\n",</span><br><span style="color: hsl(0, 100%, 40%);">- msg->data_len, sizeof(struct gsm48_service_request*));</span><br><span style="color: hsl(0, 100%, 40%);">- return msc_gsm48_tx_mm_serv_rej(conn,</span><br><span style="color: hsl(0, 100%, 40%);">- GSM48_REJECT_INCORRECT_MESSAGE);</span><br><span style="color: hsl(120, 100%, 40%);">+ msgb_l3len(msg), sizeof(*gh) + sizeof(*req));</span><br><span style="color: hsl(120, 100%, 40%);">+ return msc_gsm48_tx_mm_serv_rej(conn, GSM48_REJECT_INCORRECT_MESSAGE);</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ gh = (struct gsm48_hdr *) msgb_l3(msg);</span><br><span style="color: hsl(120, 100%, 40%);">+ req = (struct gsm48_service_request *) gh->data;</span><br><span style="color: hsl(120, 100%, 40%);">+ classmark2_len = gh->data[1];</span><br><span style="color: hsl(120, 100%, 40%);">+ classmark2 = gh->data + 2;</span><br><span style="color: hsl(120, 100%, 40%);">+ mi_p = classmark2 + classmark2_len;</span><br><span style="color: hsl(120, 100%, 40%);">+ mi_len = *mi_p;</span><br><span style="color: hsl(120, 100%, 40%);">+ mi = mi_p + 1;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> if (msg->data_len < req->mi_len + 6) {</span><br><span> LOG_RAN_CONN(conn, LOGL_ERROR, "Rx CM SERVICE REQUEST: message does not fit in packet\n");</span><br><span> return msc_gsm48_tx_mm_serv_rej(conn,</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/13907">change 13907</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/13907"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-msc </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I6e7454d7a6f63fd5a0e12fb90d8c58688da0951e </div>
<div style="display:none"> Gerrit-Change-Number: 13907 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Vadim Yanitskiy <axilirator@gmail.com> </div>