fixeria has uploaded this change for review.

View Change

mobile: gsm48_mm_data_ind(): check if struct gsm48_hdr fits

A similar check was recently added to gsm48_cc_data_ind().

Change-Id: Ibc5153df41e2c6365a3c65b1906d440a1074514b
Related: 273d412a "mobile: gsm48_cc_data_ind(): check if struct gsm48_hdr fits"
---
M src/host/layer23/src/mobile/gsm48_mm.c
1 file changed, 23 insertions(+), 3 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/osmocom-bb refs/changes/01/35601/1
diff --git a/src/host/layer23/src/mobile/gsm48_mm.c b/src/host/layer23/src/mobile/gsm48_mm.c
index 16a9b07..ee457ad 100644
--- a/src/host/layer23/src/mobile/gsm48_mm.c
+++ b/src/host/layer23/src/mobile/gsm48_mm.c
@@ -4731,13 +4731,21 @@
 	struct gsm48_mmlayer *mm = &ms->mmlayer;
 	struct gsm48_rr_hdr *rrh = (struct gsm48_rr_hdr *)msg->data;
 	uint8_t sapi = rrh->sapi;
-	struct gsm48_hdr *gh = msgb_l3(msg);
-	uint8_t pdisc = gh->proto_discr & 0x0f;
-	uint8_t msg_type = gh->msg_type & 0xbf;
+	const struct gsm48_hdr *gh = msgb_l3(msg);
+	uint8_t pdisc, msg_type;
 	int msg_supported = 0; /* determine, if message is supported at all */
 	uint8_t skip_ind;
 	int i, rc;
 
+	if (msgb_l3len(msg) < sizeof(*gh)) {
+		LOGP(DMM, LOGL_INFO, "%s(): short read of msgb: %s\n",
+		     __func__, msgb_hexdump(msg));
+		return -EINVAL;
+	}
+
+	pdisc = gh->proto_discr & 0x0f;
+	msg_type = gh->msg_type & 0xbf;
+
 	/* 9.2.19 */
 	if (msg_type == GSM48_MT_MM_NULL) {
 		msgb_free(msg);

To view, visit change 35601. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: osmocom-bb
Gerrit-Branch: master
Gerrit-Change-Id: Ibc5153df41e2c6365a3c65b1906d440a1074514b
Gerrit-Change-Number: 35601
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanitskiy@sysmocom.de>
Gerrit-MessageType: newchange