pespin submitted this change.

View Change

Approvals: laforge: Looks good to me, but someone else must approve Jenkins Builder: Verified pespin: Looks good to me, approved osmith: Looks good to me, but someone else must approve 
msgb: msgb_copy_resize_c: Fix validation check to avoid memcpy buffer overflow

If msg->data pointer is not allocated at the start of the msgb, (eg.
because it was pull()ed or had some headroom), the existing check
wouldn't catch it and memcpy() would write passed the allocated chunk
(msg->data - msg->_data) bytes.

Change-Id: If4c84162a4e5b44b82813fb58029fae04bd38230
---
M src/core/msgb.c
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/core/msgb.c b/src/core/msgb.c
index 713510c..6f081bb 100644
--- a/src/core/msgb.c
+++ b/src/core/msgb.c
@@ -327,10 +327,10 @@
 {
 	struct msgb *new_msg;
 
-	if (new_len < msgb_length(msg)) {
+	if (new_len < (msg->data - msg->_data) + msgb_length(msg)) {
 		LOGP(DLGLOBAL, LOGL_ERROR,
-			 "Data from old msgb (%u bytes) won't fit into new msgb (%u bytes) after reallocation\n",
-			 msgb_length(msg), new_len);
+			 "Data from old msgb (%u bytes at offset %u) won't fit into new msgb (%u total bytes) after reallocation\n",
+			 msgb_length(msg), (uint16_t)(msg->data - msg->_data), new_len);
 		return NULL;
 	}

To view, visit change 39368. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: merged
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: If4c84162a4e5b44b82813fb58029fae04bd38230
Gerrit-Change-Number: 39368
Gerrit-PatchSet: 2
Gerrit-Owner: pespin <pespin@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: daniel <dwillmann@sysmocom.de>
Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: laforge <laforge@osmocom.org>
Gerrit-Reviewer: neels <nhofmeyr@sysmocom.de>
Gerrit-Reviewer: osmith <osmith@sysmocom.de>
Gerrit-Reviewer: pespin <pespin@sysmocom.de>