[XS] Change in libosmocore[master]: msgb: msgb_copy_resize_c: Fix validation check to avoid memcpy buffer...

pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmocore/+/39368?usp=email ) Change subject: msgb: msgb_copy_resize_c: Fix validation check to avoid memcpy buffer overflow ...................................................................... msgb: msgb_copy_resize_c: Fix validation check to avoid memcpy buffer overflow If msg->data pointer is not allocated at the start of the msgb, (eg. because it was pull()ed or had some headroom), the existing check wouldn't catch it and memcpy() would write passed the allocated chunk (msg->data - msg->_data) bytes. Change-Id: If4c84162a4e5b44b82813fb58029fae04bd38230 --- M src/core/msgb.c 1 file changed, 3 insertions(+), 3 deletions(-) git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/68/39368/1 diff --git a/src/core/msgb.c b/src/core/msgb.c index 713510c..6f081bb 100644 --- a/src/core/msgb.c +++ b/src/core/msgb.c @@ -327,10 +327,10 @@ { struct msgb *new_msg; - if (new_len < msgb_length(msg)) { + if (new_len < (msg->data - msg->_data) + msgb_length(msg)) { LOGP(DLGLOBAL, LOGL_ERROR, - "Data from old msgb (%u bytes) won't fit into new msgb (%u bytes) after reallocation\n", - msgb_length(msg), new_len); + "Data from old msgb (%u bytes at offset %u) won't fit into new msgb (%u total bytes) after reallocation\n", + msgb_length(msg), (uint16_t)(msg->data - msg->_data), new_len); return NULL; } -- To view, visit https://gerrit.osmocom.org/c/libosmocore/+/39368?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: libosmocore Gerrit-Branch: master Gerrit-Change-Id: If4c84162a4e5b44b82813fb58029fae04bd38230 Gerrit-Change-Number: 39368 Gerrit-PatchSet: 1 Gerrit-Owner: pespin &lt;pespin(a)sysmocom.de&gt;