fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-bts/+/42513?usp=email )
Change subject: l1sap: check_for_ciph_cmd(): add missing msgb length check ......................................................................
l1sap: check_for_ciph_cmd(): add missing msgb length check
The function accesses msg->data[0..4] without first verifying that the message is at least 5 bytes long, which would cause a buffer over-read on a malformed (too short) LAPDm frame.
Change-Id: I47690f1a6357e42913bfa8100e36c05cb4f0607a --- M src/common/l1sap.c 1 file changed, 3 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/13/42513/1
diff --git a/src/common/l1sap.c b/src/common/l1sap.c index 3d0263f..e150398 100644 --- a/src/common/l1sap.c +++ b/src/common/l1sap.c @@ -215,6 +215,9 @@ return 0; }
+ if (msgb_length(msg) < 5) + return 0; + /* First byte (Address Field) of LAPDm header) */ if (msg->data[0] != 0x03) return 0;