laforge submitted this change.

View Change


Approvals: Jenkins Builder: Verified fixeria: Looks good to me, approved laforge: Looks good to me, approved 
abis_rsl: guard against over long IMMEDIATE ASSIGNMENT Messages

The length parameter in rsl_imm_assign_cmd_common() may cause a buffer
overflow when it is chosen larger than GSM_MACBLOCK_LEN. Lets make sure
this cannot happen.

Change-Id: I9417b35fb8c0517f2555e17059bf8ac60fa59791
---
M src/osmo-bsc/abis_rsl.c
1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/osmo-bsc/abis_rsl.c b/src/osmo-bsc/abis_rsl.c
index ee2e2d3..7eb3a43 100644
--- a/src/osmo-bsc/abis_rsl.c
+++ b/src/osmo-bsc/abis_rsl.c
@@ -930,10 +930,18 @@
 /* Chapter 8.5.6 */
 struct msgb *rsl_imm_assign_cmd_common(const struct gsm_bts *bts, uint8_t len, const uint8_t *val)
 {
-	struct msgb *msg = rsl_msgb_alloc();
+	struct msgb *msg;
 	struct abis_rsl_dchan_hdr *dh;
 	uint8_t buf[GSM_MACBLOCK_LEN];
 
+	if (len > sizeof(buf)) {
+		LOGP(DRSL, LOGL_ERROR,
+		     "Cannot send IMMEDIATE ASSIGNMENT message with excessive length (%u)\n", len);
+		return NULL;
+	}
+
+	msg = rsl_msgb_alloc();
+
 	dh = (struct abis_rsl_dchan_hdr *) msgb_put(msg, sizeof(*dh));
 	init_dchan_hdr(dh, RSL_MT_IMMEDIATE_ASSIGN_CMD);
 	dh->chan_nr = RSL_CHAN_PCH_AGCH;

To view, visit change 31577. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Change-Id: I9417b35fb8c0517f2555e17059bf8ac60fa59791
Gerrit-Change-Number: 31577
Gerrit-PatchSet: 6
Gerrit-Owner: dexter <pmaier@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: laforge <laforge@osmocom.org>
Gerrit-Reviewer: pespin <pespin@sysmocom.de>
Gerrit-MessageType: merged