osmith has uploaded this change for review.

View Change

bssap_conn: fix missing length check

Fixes: Coverity CID#273004
Change-Id: I1fc4c81e139bab3d7d977ef9467f62d8088884db
---
M src/osmo-bsc-nat/bssap_conn.c
1 file changed, 2 insertions(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-bsc-nat refs/changes/82/28582/1
diff --git a/src/osmo-bsc-nat/bssap_conn.c b/src/osmo-bsc-nat/bssap_conn.c
index ec2a897..e0c64dc 100644
--- a/src/osmo-bsc-nat/bssap_conn.c
+++ b/src/osmo-bsc-nat/bssap_conn.c
@@ -18,6 +18,7 @@
  */
 
 #include "config.h"
+#include <limits.h>
 #include <osmocom/core/msgb.h>
 #include <osmocom/gsm/gsm0808.h>
 #include <osmocom/sigtran/sccp_helpers.h>
@@ -44,7 +45,7 @@
 		uint16_t len;
 
 		rv = tlv_parse_one(&tag, &len, &val, def, &msg_old->l3h[ofs], msgb_l3len(msg_old) - ofs);
-		if (rv < 0) {
+		if (rv < 0 || len > UINT_MAX) {
 			LOGP(DMAIN, LOGL_ERROR, "Failed to parse bssmap msg\n");
 			msgb_free(msg_new);
 			return rv;

To view, visit change 28582. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: osmo-bsc-nat
Gerrit-Branch: master
Gerrit-Change-Id: I1fc4c81e139bab3d7d977ef9467f62d8088884db
Gerrit-Change-Number: 28582
Gerrit-PatchSet: 1
Gerrit-Owner: osmith <osmith@sysmocom.de>
Gerrit-MessageType: newchange