osmith has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-bsc-nat/+/28582 )
Change subject: bssap_conn: fix missing length check ......................................................................
bssap_conn: fix missing length check
Fixes: Coverity CID#273004 Change-Id: I1fc4c81e139bab3d7d977ef9467f62d8088884db --- M src/osmo-bsc-nat/bssap_conn.c 1 file changed, 2 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bsc-nat refs/changes/82/28582/1
diff --git a/src/osmo-bsc-nat/bssap_conn.c b/src/osmo-bsc-nat/bssap_conn.c index ec2a897..e0c64dc 100644 --- a/src/osmo-bsc-nat/bssap_conn.c +++ b/src/osmo-bsc-nat/bssap_conn.c @@ -18,6 +18,7 @@ */
#include "config.h" +#include <limits.h> #include <osmocom/core/msgb.h> #include <osmocom/gsm/gsm0808.h> #include <osmocom/sigtran/sccp_helpers.h> @@ -44,7 +45,7 @@ uint16_t len;
rv = tlv_parse_one(&tag, &len, &val, def, &msg_old->l3h[ofs], msgb_l3len(msg_old) - ofs); - if (rv < 0) { + if (rv < 0 || len > UINT_MAX) { LOGP(DMAIN, LOGL_ERROR, "Failed to parse bssmap msg\n"); msgb_free(msg_new); return rv;