[XS] Change in libosmocore[master]: msgb: msgb_copy_resize_c: Fix validation check to avoid memcpy buffer...

pespin has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/39368?usp=email ) Change subject: msgb: msgb_copy_resize_c: Fix validation check to avoid memcpy buffer overflow ...................................................................... msgb: msgb_copy_resize_c: Fix validation check to avoid memcpy buffer overflow If msg->data pointer is not allocated at the start of the msgb, (eg. because it was pull()ed or had some headroom), the existing check wouldn't catch it and memcpy() would write passed the allocated chunk (msg->data - msg->_data) bytes. Change-Id: If4c84162a4e5b44b82813fb58029fae04bd38230 --- M src/core/msgb.c 1 file changed, 3 insertions(+), 3 deletions(-) Approvals: laforge: Looks good to me, but someone else must approve Jenkins Builder: Verified pespin: Looks good to me, approved osmith: Looks good to me, but someone else must approve diff --git a/src/core/msgb.c b/src/core/msgb.c index 713510c..6f081bb 100644 --- a/src/core/msgb.c +++ b/src/core/msgb.c @@ -327,10 +327,10 @@ { struct msgb *new_msg; - if (new_len < msgb_length(msg)) { + if (new_len < (msg->data - msg->_data) + msgb_length(msg)) { LOGP(DLGLOBAL, LOGL_ERROR, - "Data from old msgb (%u bytes) won't fit into new msgb (%u bytes) after reallocation\n", - msgb_length(msg), new_len); + "Data from old msgb (%u bytes at offset %u) won't fit into new msgb (%u total bytes) after reallocation\n", + msgb_length(msg), (uint16_t)(msg->data - msg->_data), new_len); return NULL; } -- To view, visit https://gerrit.osmocom.org/c/libosmocore/+/39368?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: libosmocore Gerrit-Branch: master Gerrit-Change-Id: If4c84162a4e5b44b82813fb58029fae04bd38230 Gerrit-Change-Number: 39368 Gerrit-PatchSet: 2 Gerrit-Owner: pespin &lt;pespin(a)sysmocom.de&gt; Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: daniel &lt;dwillmann(a)sysmocom.de&gt; Gerrit-Reviewer: fixeria &lt;vyanitskiy(a)sysmocom.de&gt; Gerrit-Reviewer: laforge &lt;laforge(a)osmocom.org&gt; Gerrit-Reviewer: neels &lt;nhofmeyr(a)sysmocom.de&gt; Gerrit-Reviewer: osmith &lt;osmith(a)sysmocom.de&gt; Gerrit-Reviewer: pespin &lt;pespin(a)sysmocom.de&gt;