fixeria submitted this change.

Approvals:
  Jenkins Builder: Verified
  pespin: Looks good to me, approved
  laforge: Looks good to me, but someone else must approve

l1sap: check_for_ciph_cmd(): add missing msgb length check

The function accesses msg->data[0..4] without first verifying that the
message is at least 5 bytes long, which would cause a buffer over-read
on a malformed (too short) LAPDm frame.

Change-Id: I47690f1a6357e42913bfa8100e36c05cb4f0607a
---
M src/common/l1sap.c
1 file changed, 3 insertions(+), 0 deletions(-)

diff --git a/src/common/l1sap.c b/src/common/l1sap.c
index 3d0263f..e150398 100644
--- a/src/common/l1sap.c
+++ b/src/common/l1sap.c
@@ -215,6 +215,9 @@
 		return 0;
 	}
 
+	if (msgb_length(msg) < 5)
+		return 0;
+
 	/* First byte (Address Field) of LAPDm header) */
 	if (msg->data[0] != 0x03)
 		return 0;

To view, visit change 42513. To unsubscribe, or for help writing mail filters, visit settings.