pespin has submitted this change. ( https://gerrit.osmocom.org/c/libosmo-sigtran/+/38359?usp=email )
Change subject: coverity CID#216830 ......................................................................
coverity CID#216830
sanity-check par->len received on the wire.
(cherry picked from commit 0285323c2bbe8efdcc7215179f890ac727ca7cac) Change-Id: I1dcc3cb724c9644191de675cac0670ca292a75ba --- M src/sua.c 1 file changed, 4 insertions(+), 0 deletions(-)
Approvals: osmith: Looks good to me, approved Jenkins Builder: Verified
diff --git a/src/sua.c b/src/sua.c index 9e281e0..3d9d7ec 100644 --- a/src/sua.c +++ b/src/sua.c @@ -436,6 +436,10 @@ par = (struct xua_parameter_hdr *) ¶m->dat[pos]; par_tag = ntohs(par->tag); par_len = ntohs(par->len); + + /* sanity: check par->len received on the wire, make sure the subtraction does not wrap past zero. */ + if (par_len < sizeof(*par)) + goto subpar_fail; par_datalen = par_len - sizeof(*par);
LOGP(DLSUA, LOGL_DEBUG, "SUA IEI 0x%04x pos %hu/%hu: subpart tag 0x%04x, len %hu\n",