pespin has uploaded this change for review.

View Change

cbsp: avoid potential msgb write overflow in osmo_cbsp_recv_buffered

>>>     CID 273001:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "needed" to "recv", which uses it as an offset.
1444                    rc = recv(fd, msg->tail, needed, 0);

Fixes: Coverity CID#273001
Change-Id: I17c558254f9c7907b56d61c53c2f597e8e4566cf
---
M src/gsm/cbsp.c
1 file changed, 4 insertions(+), 0 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/78/28478/1
diff --git a/src/gsm/cbsp.c b/src/gsm/cbsp.c
index 2095003..a31517b 100644
--- a/src/gsm/cbsp.c
+++ b/src/gsm/cbsp.c
@@ -1441,6 +1441,10 @@
 
 	needed = len - msgb_l2len(msg);
 	if (needed > 0) {
+		if (needed > msgb_tailroom(msg)) {
+			rc = -ENOMEM;
+			goto discard_msg;
+		}
 		rc = recv(fd, msg->tail, needed, 0);
 		if (rc == 0)
 			goto discard_msg;

To view, visit change 28478. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I17c558254f9c7907b56d61c53c2f597e8e4566cf
Gerrit-Change-Number: 28478
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin@sysmocom.de>
Gerrit-MessageType: newchange