neels has uploaded this change for review.

View Change

coverity CID#272968 CID#272939

properly bounds-check received value (offset) before calculating
msgb_l2len(msgb) - offset.

Change-Id: Ic6823cf077ef15ef1f6e209bf53384913911f93e
---
M src/sccp.c
1 file changed, 7 insertions(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/libosmo-sccp refs/changes/94/37994/1
diff --git a/src/sccp.c b/src/sccp.c
index 85bea6d..c348b9e 100644
--- a/src/sccp.c
+++ b/src/sccp.c
@@ -158,9 +158,15 @@
 static int _sccp_parse_optional_data(const int offset,
 				     struct msgb *msgb, struct sccp_optional_data *data)
 {
-	uint16_t room = msgb_l2len(msgb) - offset;
+	uint16_t room;
 	uint16_t read = 0;
 
+	/* sanity: make sure no optional_start value received on the wire (that callers typically pass as 'offset'
+	 * argument) takes us past the message buffer boundaries (CID#272968 and others) */
+	if (offset >= msgb_l2len(msgb))
+		return 0;
+
+	room = msgb_l2len(msgb) - offset;
 	while (room > read) {
 		uint8_t type = msgb->l2h[offset + read];
 		if (type == SCCP_PNC_END_OF_OPTIONAL)

To view, visit change 37994. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: newchange
Gerrit-Project: libosmo-sccp
Gerrit-Branch: master
Gerrit-Change-Id: Ic6823cf077ef15ef1f6e209bf53384913911f93e
Gerrit-Change-Number: 37994
Gerrit-PatchSet: 1
Gerrit-Owner: neels <nhofmeyr@sysmocom.de>