pespin has uploaded this change for review.
cbsp: avoid potential msgb write overflow in osmo_cbsp_recv_buffered
>>> CID 273001: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "needed" to "recv", which uses it as an offset.
1444 rc = recv(fd, msg->tail, needed, 0);
Fixes: Coverity CID#273001
Change-Id: I17c558254f9c7907b56d61c53c2f597e8e4566cf
---
M src/gsm/cbsp.c
1 file changed, 4 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/78/28478/1
diff --git a/src/gsm/cbsp.c b/src/gsm/cbsp.c
index 2095003..a31517b 100644
--- a/src/gsm/cbsp.c
+++ b/src/gsm/cbsp.c
@@ -1441,6 +1441,10 @@
needed = len - msgb_l2len(msg);
if (needed > 0) {
+ if (needed > msgb_tailroom(msg)) {
+ rc = -ENOMEM;
+ goto discard_msg;
+ }
rc = recv(fd, msg->tail, needed, 0);
if (rc == 0)
goto discard_msg;
To view, visit change 28478. To unsubscribe, or for help writing mail filters, visit settings.