fixeria submitted this change.

View Change

ipaccess: fix buffer overread in ipacc_parse_supp_flags()

The loop used OSMO_MAX(e->len, 4), which iterates at least 4 times
even when the IE is shorter than 4 bytes, causing a buffer overread.
Replace with OSMO_MIN(e->len, sizeof(u32)) to cap the iteration both
at the actual IE length and at the uint32_t accumulator size.

Change-Id: I97c69a71eb650cbef1cc3652d0a2a966cfd6cf60
---
M src/osmo-bsc/bts_ipaccess_nanobts_omlattr.c
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/osmo-bsc/bts_ipaccess_nanobts_omlattr.c b/src/osmo-bsc/bts_ipaccess_nanobts_omlattr.c
index 23196fc..a197a79 100644
--- a/src/osmo-bsc/bts_ipaccess_nanobts_omlattr.c
+++ b/src/osmo-bsc/bts_ipaccess_nanobts_omlattr.c
@@ -47,7 +47,7 @@
 {
 	uint32_t u32 = 0;
 
-	for (unsigned int i = 0; i < OSMO_MAX(e->len, 4); i++)
+	for (unsigned int i = 0; i < OSMO_MIN(e->len, sizeof(u32)); i++)
 		u32 |= e->val[i] << (i * 8);
 	for (const struct value_string *vs = flags; vs->value && vs->str; vs++) {
 		if (u32 & vs->value)

To view, visit change 42587. To unsubscribe, or for help writing mail filters, visit settings.