lynxis lazus has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-ggsn/+/40641?usp=email )
Change subject: gtp: SGSN Ctx: prevent a stack reference to be in **ie ......................................................................
gtp: SGSN Ctx: prevent a stack reference to be in **ie
Even the caller shouldn't re-use **ie after using it with sgsn_context_response, ensure there is no stack reference in **ie when returning.
Related: Coverity CID#530774 Related: Coverity CID#530775 Fixes: d46d0cc36845 ("gtp: add support for SGSN Context Req/Resp/Ack") Change-Id: Ideca8beb21c6cce7104721b4d80854448baf6c4e --- M gtp/gtp.c 1 file changed, 15 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-ggsn refs/changes/41/40641/1
diff --git a/gtp/gtp.c b/gtp/gtp.c index fa65575..13b7de7 100644 --- a/gtp/gtp.c +++ b/gtp/gtp.c @@ -912,6 +912,11 @@ pack = &packet; pack += packet_len; rc = gtpie_encaps3(ie, GTPIE_SIZE, pack, GTP_MAX - packet_len, &encoded_len); + + /* Prevent a stack reference within **ie */ + ie[GTPIE_TEI_C] = NULL; + ie[GTPIE_GSN_ADDR] = NULL; + if (rc) return -EINVAL;
@@ -954,6 +959,11 @@ pack = &packet; pack += packet_len; rc = gtpie_encaps3(ie, GTPIE_SIZE, pack, GTP_MAX - packet_len, &encoded_len); + + /* Prevent a stack reference within **ie */ + ie[GTPIE_TEI_C] = NULL; + ie[GTPIE_GSN_ADDR] = NULL; + if (rc) return -EINVAL;
@@ -999,6 +1009,11 @@ pack += packet_len;
rc = gtpie_encaps3(ie, GTPIE_SIZE, pack, GTP_MAX - packet_len, &encoded_len); + + /* Prevent a stack reference within **ie */ + ie[GTPIE_TEI_C] = NULL; + ie[GTPIE_GSN_ADDR] = NULL; + if (rc) return -EINVAL;