fixeria has uploaded this change for review.

View Change

abis_nm: always check return value of tlv_parse()

Change-Id: Iecba34a96f71922ddd25028e7d3404f89b1106de
---
M src/osmo-bsc/abis_nm.c
1 file changed, 41 insertions(+), 10 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/65/27865/1
diff --git a/src/osmo-bsc/abis_nm.c b/src/osmo-bsc/abis_nm.c
index 1c21bc2..f7882ac 100644
--- a/src/osmo-bsc/abis_nm.c
+++ b/src/osmo-bsc/abis_nm.c
@@ -256,8 +256,12 @@
 
 	new_state = *nm_state;
 
+	if (abis_nm_tlv_parse(&tp, bts, foh->data, oh->length - sizeof(*foh)) < 0) {
+		LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", __func__);
+		return -EINVAL;
+	}
+
 	DEBUGPFOH(DNM, foh, "STATE CHG: ");
-	abis_nm_tlv_parse(&tp, bts, foh->data, oh->length-sizeof(*foh));
 	if (TLVP_PRESENT(&tp, NM_ATT_OPER_STATE)) {
 		new_state.operational = *TLVP_VAL(&tp, NM_ATT_OPER_STATE);
 		DEBUGPC(DNM, "OP_STATE=%s ",
@@ -375,8 +379,10 @@
 	sd = talloc_zero(tall_bsc_ctx, struct nm_fail_rep_signal_data);
 	OSMO_ASSERT(sd);
 
-	if (abis_nm_tlv_parse(&sd->tp, bts, foh->data, oh->length-sizeof(*foh)) < 0)
+	if (abis_nm_tlv_parse(&sd->tp, bts, foh->data, oh->length - sizeof(*foh)) < 0) {
+		LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", __func__);
 		goto fail;
+	}
 
 	if (TLVP_PRESENT(&sd->tp, NM_ATT_ADD_TEXT)) {
 		const uint8_t *val = TLVP_VAL(&sd->tp, NM_ATT_ADD_TEXT);
@@ -678,7 +684,11 @@
 	/* After parsing unreported attribute id list inside Response info,
 	   there's a list of reported attribute ids and their values, in a TLV
 	   list form. */
-	abis_nm_tlv_parse(tp, bts, data, data_len);
+	if (abis_nm_tlv_parse(tp, bts, data, data_len) < 0) {
+		LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", __func__);
+		return -EINVAL;
+	}
+
 	return parse_attr_resp_info_attr(bts, trx, foh, tp);
 }
 
@@ -698,7 +708,10 @@
 
 	DEBUGPFOH(DNM, foh, "Get Attributes Response\n");
 
-	abis_nm_tlv_parse(&tp, bts, foh->data, oh->length-sizeof(*foh));
+	if (abis_nm_tlv_parse(&tp, bts, foh->data, oh->length - sizeof(*foh)) < 0) {
+		LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", __func__);
+		return -EINVAL;
+	}
 
 	/* nanoBTS doesn't send Get Attribute Response Info, uses its own format */
 	if (bts->type != GSM_BTS_TYPE_NANOBTS)
@@ -734,7 +747,11 @@
 		return ret;
 	}
 
-	abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length-sizeof(*foh));
+	if (abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length - sizeof(*foh)) < 0) {
+		LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", __func__);
+		return -EINVAL;
+	}
+
 	sw_config = TLVP_VAL(&tp, NM_ATT_SW_CONFIG);
 	sw_config_len = TLVP_LEN(&tp, NM_ATT_SW_CONFIG);
 	if (!TLVP_PRESENT(&tp, NM_ATT_SW_CONFIG)) {
@@ -771,7 +788,11 @@
 	struct tlv_parsed tp;
 	uint8_t adm_state;
 
-	abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length-sizeof(*foh));
+	if (abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length - sizeof(*foh)) < 0) {
+		LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", __func__);
+		return -EINVAL;
+	}
+
 	if (!TLVP_PRESENT(&tp, NM_ATT_ADM_STATE))
 		return -EINVAL;
 
@@ -790,8 +811,12 @@
 	struct e1inp_sign_link *sign_link = mb->dst;
 	struct tlv_parsed tp;
 
+	if (abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length - sizeof(*foh)) < 0) {
+		LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", __func__);
+		return -EINVAL;
+	}
+
 	DEBUGPFOH(DNM, foh, "LMT Event ");
-	abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length-sizeof(*foh));
 	if (TLVP_PRESENT(&tp, NM_ATT_BS11_LMT_LOGON_SESSION) &&
 	    TLVP_LEN(&tp, NM_ATT_BS11_LMT_LOGON_SESSION) >= 1) {
 		uint8_t onoff = *TLVP_VAL(&tp, NM_ATT_BS11_LMT_LOGON_SESSION);
@@ -943,9 +968,12 @@
 		struct nm_nack_signal_data nack_data;
 		struct tlv_parsed tp;
 
-		LOGPFOH(DNM, LOGL_NOTICE, foh, "%s NACK ", abis_nm_nack_name(mt));
+		if (abis_nm_tlv_parse(&tp, bts, foh->data, oh->length - sizeof(*foh)) < 0) {
+			LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", __func__);
+			return -EINVAL;
+		}
 
-		abis_nm_tlv_parse(&tp, bts, foh->data, oh->length-sizeof(*foh));
+		LOGPFOH(DNM, LOGL_NOTICE, foh, "%s NACK ", abis_nm_nack_name(mt));
 		if (TLVP_PRESENT(&tp, NM_ATT_NACK_CAUSES))
 			LOGPC(DNM, LOGL_NOTICE, "CAUSE=%s\n",
 				abis_nm_nack_cause_name(*TLVP_VAL(&tp, NM_ATT_NACK_CAUSES)));
@@ -2838,7 +2866,10 @@
 		return -EINVAL;
 	}
 
-	abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length-sizeof(*foh));
+	if (abis_nm_tlv_parse(&tp, sign_link->trx->bts, foh->data, oh->length - sizeof(*foh)) < 0) {
+		LOGPFOH(DNM, LOGL_ERROR, foh, "%s(): tlv_parse failed\n", __func__);
+		return -EINVAL;
+	}
 
 	/* The message might be received over the main OML link, so we cannot
 	 * just use sign_link->trx. Resolve it by number from the FOM header. */

To view, visit change 27865. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Change-Id: Iecba34a96f71922ddd25028e7d3404f89b1106de
Gerrit-Change-Number: 27865
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanitskiy@sysmocom.de>
Gerrit-MessageType: newchange