fixeria has uploaded this change for review.

View Change

l1sap: check_for_ciph_cmd(): add missing msgb length check

The function accesses msg->data[0..4] without first verifying that the
message is at least 5 bytes long, which would cause a buffer over-read
on a malformed (too short) LAPDm frame.

Change-Id: I47690f1a6357e42913bfa8100e36c05cb4f0607a
---
M src/common/l1sap.c
1 file changed, 3 insertions(+), 0 deletions(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/13/42513/1
diff --git a/src/common/l1sap.c b/src/common/l1sap.c
index 3d0263f..e150398 100644
--- a/src/common/l1sap.c
+++ b/src/common/l1sap.c
@@ -215,6 +215,9 @@
 		return 0;
 	}
 
+	if (msgb_length(msg) < 5)
+		return 0;
+
 	/* First byte (Address Field) of LAPDm header) */
 	if (msg->data[0] != 0x03)
 		return 0;

To view, visit change 42513. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: newchange
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Change-Id: I47690f1a6357e42913bfa8100e36c05cb4f0607a
Gerrit-Change-Number: 42513
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanitskiy@sysmocom.de>