<p>laforge has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/libosmocore/+/15370">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">cbsp: Fix endless loop iteration when decoding cell list IEs<br><br>The CBSP code assumed that gsm0808_decode_cell_id_u() would return<br>the number of bytes it has consumed/parsed.  But it actually always<br>returns '0', whcih makes us run in an endless loop :(<br><br>Change-Id: I5758af4ec11a827d4b888a3a16c4ec22de90a7d6<br>---<br>M include/osmocom/gsm/gsm0808_utils.h<br>M src/gsm/cbsp.c<br>M src/gsm/gsm0808_utils.c<br>3 files changed, 26 insertions(+), 4 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/70/15370/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/include/osmocom/gsm/gsm0808_utils.h b/include/osmocom/gsm/gsm0808_utils.h</span><br><span>index 76db2b6..ccdf5ed 100644</span><br><span>--- a/include/osmocom/gsm/gsm0808_utils.h</span><br><span>+++ b/include/osmocom/gsm/gsm0808_utils.h</span><br><span>@@ -95,6 +95,7 @@</span><br><span> int gsm0808_cell_id_to_cgi(struct osmo_cell_global_id *cgi, const struct gsm0808_cell_id *cid);</span><br><span> void gsm0808_msgb_put_cell_id_u(struct msgb *msg, enum CELL_IDENT id_discr, const union gsm0808_cell_id_u *u);</span><br><span> int gsm0808_decode_cell_id_u(union gsm0808_cell_id_u *out, enum CELL_IDENT discr, const uint8_t *buf, unsigned int len);</span><br><span style="color: hsl(120, 100%, 40%);">+int gsm0808_cell_id_size(enum CELL_IDENT discr);</span><br><span> </span><br><span> uint8_t gsm0808_enc_cause(struct msgb *msg, uint16_t cause);</span><br><span> uint8_t gsm0808_enc_aoip_trasp_addr(struct msgb *msg,</span><br><span>diff --git a/src/gsm/cbsp.c b/src/gsm/cbsp.c</span><br><span>index 84b9235..c13be61 100644</span><br><span>--- a/src/gsm/cbsp.c</span><br><span>+++ b/src/gsm/cbsp.c</span><br><span>@@ -515,7 +515,7 @@</span><br><span>                  osmo_cbsp_errstr = "cell list: error decoding cell_id_union";</span><br><span>                      return rc;</span><br><span>           }</span><br><span style="color: hsl(0, 100%, 40%);">-               cur += rc;</span><br><span style="color: hsl(120, 100%, 40%);">+            cur += gsm0808_cell_id_size(cl->id_discr);</span><br><span>                llist_add_tail(&ent->list, &cl->list);</span><br><span>         }</span><br><span>    return 0;</span><br><span>@@ -538,7 +538,7 @@</span><br><span>                      osmo_cbsp_errstr = "fail list: error decoding cell_id_union";</span><br><span>                      return rc;</span><br><span>           }</span><br><span style="color: hsl(0, 100%, 40%);">-               cur += rc;</span><br><span style="color: hsl(120, 100%, 40%);">+            cur += gsm0808_cell_id_size(ent->id_discr);</span><br><span>               ent->cause = *cur++;</span><br><span>              llist_add_tail(&ent->list, fl);</span><br><span>       }</span><br><span>@@ -562,7 +562,7 @@</span><br><span>                      osmo_cbsp_errstr = "load list: error decoding cell_id_union";</span><br><span>                      return rc;</span><br><span>           }</span><br><span style="color: hsl(0, 100%, 40%);">-               cur += rc;</span><br><span style="color: hsl(120, 100%, 40%);">+            cur += gsm0808_cell_id_size(ll->id_discr);</span><br><span>                if (cur + 2 > buf + len) {</span><br><span>                        talloc_free(ent);</span><br><span>                    osmo_cbsp_errstr = "load list: truncated IE";</span><br><span>@@ -592,7 +592,7 @@</span><br><span>                        osmo_cbsp_errstr = "completed list: error decoding cell_id_union";</span><br><span>                         return rc;</span><br><span>           }</span><br><span style="color: hsl(0, 100%, 40%);">-               cur += rc;</span><br><span style="color: hsl(120, 100%, 40%);">+            cur += gsm0808_cell_id_size(cl->id_discr);</span><br><span>                if (cur + 3 > buf + len) {</span><br><span>                        talloc_free(ent);</span><br><span>                    osmo_cbsp_errstr = "completed list: truncated IE";</span><br><span>diff --git a/src/gsm/gsm0808_utils.c b/src/gsm/gsm0808_utils.c</span><br><span>index 364a04f..7416d8f 100644</span><br><span>--- a/src/gsm/gsm0808_utils.c</span><br><span>+++ b/src/gsm/gsm0808_utils.c</span><br><span>@@ -767,6 +767,27 @@</span><br><span>         return (int)(elem - old_elem);</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/* Return the size of the value part of a cell identifier of given type */</span><br><span style="color: hsl(120, 100%, 40%);">+int gsm0808_cell_id_size(enum CELL_IDENT discr)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+       switch (discr) {</span><br><span style="color: hsl(120, 100%, 40%);">+      case CELL_IDENT_WHOLE_GLOBAL:</span><br><span style="color: hsl(120, 100%, 40%);">+         return 7;</span><br><span style="color: hsl(120, 100%, 40%);">+     case CELL_IDENT_LAC_AND_CI:</span><br><span style="color: hsl(120, 100%, 40%);">+           return 4;</span><br><span style="color: hsl(120, 100%, 40%);">+     case CELL_IDENT_CI:</span><br><span style="color: hsl(120, 100%, 40%);">+           return 2;</span><br><span style="color: hsl(120, 100%, 40%);">+     case CELL_IDENT_LAI_AND_LAC:</span><br><span style="color: hsl(120, 100%, 40%);">+          return 5;</span><br><span style="color: hsl(120, 100%, 40%);">+     case CELL_IDENT_LAC:</span><br><span style="color: hsl(120, 100%, 40%);">+          return 2;</span><br><span style="color: hsl(120, 100%, 40%);">+     case CELL_IDENT_BSS:</span><br><span style="color: hsl(120, 100%, 40%);">+  case CELL_IDENT_NO_CELL:</span><br><span style="color: hsl(120, 100%, 40%);">+              return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+     default:</span><br><span style="color: hsl(120, 100%, 40%);">+              return -EINVAL;</span><br><span style="color: hsl(120, 100%, 40%);">+       }</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span> /*! Decode a single GSM 08.08 Cell ID list element payload</span><br><span>  *  \param[out] out caller-provided output union</span><br><span>  *  \param[in] discr Cell ID discriminator describing type to be decoded</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/libosmocore/+/15370">change 15370</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/libosmocore/+/15370"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: libosmocore </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I5758af4ec11a827d4b888a3a16c4ec22de90a7d6 </div>
<div style="display:none"> Gerrit-Change-Number: 15370 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: laforge <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>