pespin has uploaded this change for review.

View Change

msgb: msgb_copy_resize_c: Fix validation check to avoid memcpy buffer overflow

If msg->data pointer is not allocated at the start of the msgb, (eg.
because it was pull()ed or had some headroom), the existing check
wouldn't catch it and memcpy() would write passed the allocated chunk
(msg->data - msg->_data) bytes.

Change-Id: If4c84162a4e5b44b82813fb58029fae04bd38230
---
M src/core/msgb.c
1 file changed, 3 insertions(+), 3 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/68/39368/1
diff --git a/src/core/msgb.c b/src/core/msgb.c
index 713510c..6f081bb 100644
--- a/src/core/msgb.c
+++ b/src/core/msgb.c
@@ -327,10 +327,10 @@
 {
 	struct msgb *new_msg;
 
-	if (new_len < msgb_length(msg)) {
+	if (new_len < (msg->data - msg->_data) + msgb_length(msg)) {
 		LOGP(DLGLOBAL, LOGL_ERROR,
-			 "Data from old msgb (%u bytes) won't fit into new msgb (%u bytes) after reallocation\n",
-			 msgb_length(msg), new_len);
+			 "Data from old msgb (%u bytes at offset %u) won't fit into new msgb (%u total bytes) after reallocation\n",
+			 msgb_length(msg), (uint16_t)(msg->data - msg->_data), new_len);
 		return NULL;
 	}

To view, visit change 39368. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: newchange
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: If4c84162a4e5b44b82813fb58029fae04bd38230
Gerrit-Change-Number: 39368
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin@sysmocom.de>