dexter has uploaded this change for review.

View Change

abis_rsl: assert maximum length

The length parameter in rsl_imm_assign_cmd_common() may cause a buffer
overflow when it is chosen larger than GSM_MACBLOCK_LEN. This should be
asserted.

Change-Id: I9417b35fb8c0517f2555e17059bf8ac60fa59791
---
M src/osmo-bsc/abis_rsl.c
1 file changed, 14 insertions(+), 0 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/77/31577/1
diff --git a/src/osmo-bsc/abis_rsl.c b/src/osmo-bsc/abis_rsl.c
index ee2e2d3..410f08e 100644
--- a/src/osmo-bsc/abis_rsl.c
+++ b/src/osmo-bsc/abis_rsl.c
@@ -944,6 +944,7 @@
 		break;
 	default:
 		/* If phase 2, construct a FULL_IMM_ASS_INFO */
+		OSMO_ASSERT(len <= sizeof(buf));
 		pad_macblock(buf, val, len);
 		msgb_tlv_put(msg, RSL_IE_FULL_IMM_ASS_INFO, GSM_MACBLOCK_LEN,
 			     buf);

To view, visit change 31577. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Change-Id: I9417b35fb8c0517f2555e17059bf8ac60fa59791
Gerrit-Change-Number: 31577
Gerrit-PatchSet: 1
Gerrit-Owner: dexter <pmaier@sysmocom.de>
Gerrit-MessageType: newchange