<p>pespin has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/osmo-pcu/+/17632">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">csn1: Properly verify CSN_BITMAP length<br><br>Change-Id: I9f7672b534f9345caff99095504749eebad25adb<br>---<br>M src/csn1.c<br>1 file changed, 16 insertions(+), 4 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-pcu refs/changes/32/17632/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/csn1.c b/src/csn1.c</span><br><span>index 1fd094f..c9c8cdd 100644</span><br><span>--- a/src/csn1.c</span><br><span>+++ b/src/csn1.c</span><br><span>@@ -424,6 +424,10 @@</span><br><span> </span><br><span>         if (no_of_bits > 0)</span><br><span>         {</span><br><span style="color: hsl(120, 100%, 40%);">+          if (no_of_bits > remaining_bits_len)</span><br><span style="color: hsl(120, 100%, 40%);">+          {</span><br><span style="color: hsl(120, 100%, 40%);">+            return ProcessError(readIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr);</span><br><span style="color: hsl(120, 100%, 40%);">+          }</span><br><span> </span><br><span>           if (no_of_bits <= 32)</span><br><span>           {</span><br><span>@@ -451,7 +455,6 @@</span><br><span>           }</span><br><span> </span><br><span>           remaining_bits_len -= no_of_bits;</span><br><span style="color: hsl(0, 100%, 40%);">-          assert(remaining_bits_len >= 0);</span><br><span>           bit_offset += no_of_bits;</span><br><span>         }</span><br><span>         /* bitmap was successfully extracted or it was empty */</span><br><span>@@ -876,6 +879,10 @@</span><br><span> </span><br><span>             if (no_of_bits > 0)</span><br><span>             {</span><br><span style="color: hsl(120, 100%, 40%);">+              if (no_of_bits > remaining_bits_len)</span><br><span style="color: hsl(120, 100%, 40%);">+              {</span><br><span style="color: hsl(120, 100%, 40%);">+                return ProcessError(readIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr);</span><br><span style="color: hsl(120, 100%, 40%);">+              }</span><br><span> </span><br><span>               if (no_of_bits <= 32)</span><br><span>               {</span><br><span>@@ -896,7 +903,6 @@</span><br><span>               }</span><br><span> </span><br><span>               remaining_bits_len -= no_of_bits;</span><br><span style="color: hsl(0, 100%, 40%);">-              assert(remaining_bits_len >= 0);</span><br><span>               bit_offset += no_of_bits;</span><br><span>             }</span><br><span>             /* bitmap was successfully extracted or it was empty */</span><br><span>@@ -1737,6 +1743,10 @@</span><br><span> </span><br><span>         if (no_of_bits > 0)</span><br><span>         {</span><br><span style="color: hsl(120, 100%, 40%);">+          if (no_of_bits > remaining_bits_len)</span><br><span style="color: hsl(120, 100%, 40%);">+          {</span><br><span style="color: hsl(120, 100%, 40%);">+            return ProcessError(writeIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr);</span><br><span style="color: hsl(120, 100%, 40%);">+          }</span><br><span> </span><br><span>           if (no_of_bits <= 32)</span><br><span>           {</span><br><span>@@ -1762,7 +1772,6 @@</span><br><span>           }</span><br><span> </span><br><span>           remaining_bits_len -= no_of_bits;</span><br><span style="color: hsl(0, 100%, 40%);">-          assert(remaining_bits_len >= 0);</span><br><span>           bit_offset += no_of_bits;</span><br><span>         }</span><br><span>         /* bitmap was successfully extracted or it was empty */</span><br><span>@@ -2153,6 +2162,10 @@</span><br><span> </span><br><span>             if (no_of_bits > 0)</span><br><span>             {</span><br><span style="color: hsl(120, 100%, 40%);">+              if (no_of_bits > remaining_bits_len)</span><br><span style="color: hsl(120, 100%, 40%);">+              {</span><br><span style="color: hsl(120, 100%, 40%);">+                return ProcessError(writeIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr);</span><br><span style="color: hsl(120, 100%, 40%);">+              }</span><br><span> </span><br><span>               if (no_of_bits <= 32)</span><br><span>               {</span><br><span>@@ -2172,7 +2185,6 @@</span><br><span>               }</span><br><span> </span><br><span>               remaining_bits_len -= no_of_bits;</span><br><span style="color: hsl(0, 100%, 40%);">-              assert(remaining_bits_len >= 0);</span><br><span>               bit_offset += no_of_bits;</span><br><span>             }</span><br><span>             /* bitmap was successfully extracted or it was empty */</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-pcu/+/17632">change 17632</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-pcu/+/17632"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: osmo-pcu </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I9f7672b534f9345caff99095504749eebad25adb </div>
<div style="display:none"> Gerrit-Change-Number: 17632 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>