<p>Vadim Yanitskiy has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/13982">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer overrun<br><br>In ran_a_make_handover_request() we do prevent destination buffer<br>(r.encryption_information.key) overflow, but not source buffer<br>(n->geran.chosen_encryption->key) overrun if an incorrect key<br>length is received. Let's fix this.<br><br>Change-Id: I278bb72660634c2d535e1bd3d7fce5696da23575<br>Fixes: CID#198450 Out-of-bounds access<br>---<br>M src/libmsc/ran_msg_a.c<br>1 file changed, 3 insertions(+), 1 deletion(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/82/13982/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/libmsc/ran_msg_a.c b/src/libmsc/ran_msg_a.c</span><br><span>index 21be896..805308c 100644</span><br><span>--- a/src/libmsc/ran_msg_a.c</span><br><span>+++ b/src/libmsc/ran_msg_a.c</span><br><span>@@ -1080,7 +1080,9 @@</span><br><span>    /* Encryption Information */</span><br><span>         make_encrypt_info_perm_algo(log_fi, &r.encryption_information, n->geran.a5_encryption_mask, n->classmark);</span><br><span>         if (n->geran.chosen_encryption && n->geran.chosen_encryption->key_len) {</span><br><span style="color: hsl(0, 100%, 40%);">-               if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key)) {</span><br><span style="color: hsl(120, 100%, 40%);">+            /* Prevent both source / destination buffer overrun / overflow */</span><br><span style="color: hsl(120, 100%, 40%);">+             if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key)</span><br><span style="color: hsl(120, 100%, 40%);">+                   || n->geran.chosen_encryption->key_len > sizeof(n->geran.chosen_encryption->key)) {</span><br><span>                       LOG_RAN_A_ENC(log_fi, LOGL_ERROR, "Handover Request: invalid chosen encryption key size %u\n",</span><br><span>                                    n->geran.chosen_encryption->key_len);</span><br><span>                   return NULL;</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/13982">change 13982</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/13982"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: osmo-msc </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I278bb72660634c2d535e1bd3d7fce5696da23575 </div>
<div style="display:none"> Gerrit-Change-Number: 13982 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Vadim Yanitskiy <axilirator@gmail.com> </div>