fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-bsc/+/42587?usp=email )
Change subject: ipaccess: fix buffer overread in ipacc_parse_supp_flags() ......................................................................
ipaccess: fix buffer overread in ipacc_parse_supp_flags()
The loop used OSMO_MAX(e->len, 4), which iterates at least 4 times even when the IE is shorter than 4 bytes, causing a buffer overread. Replace with OSMO_MIN(e->len, sizeof(u32)) to cap the iteration both at the actual IE length and at the uint32_t accumulator size.
Change-Id: I97c69a71eb650cbef1cc3652d0a2a966cfd6cf60 --- M src/osmo-bsc/bts_ipaccess_nanobts_omlattr.c 1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/87/42587/1
diff --git a/src/osmo-bsc/bts_ipaccess_nanobts_omlattr.c b/src/osmo-bsc/bts_ipaccess_nanobts_omlattr.c index 23196fc..a197a79 100644 --- a/src/osmo-bsc/bts_ipaccess_nanobts_omlattr.c +++ b/src/osmo-bsc/bts_ipaccess_nanobts_omlattr.c @@ -47,7 +47,7 @@ { uint32_t u32 = 0;
- for (unsigned int i = 0; i < OSMO_MAX(e->len, 4); i++) + for (unsigned int i = 0; i < OSMO_MIN(e->len, sizeof(u32)); i++) u32 |= e->val[i] << (i * 8); for (const struct value_string *vs = flags; vs->value && vs->str; vs++) { if (u32 & vs->value)