fixeria has submitted this change. ( https://gerrit.osmocom.org/c/osmocom-bb/+/35601?usp=email )
Change subject: mobile: gsm48_mm_data_ind(): check if struct gsm48_hdr fits ......................................................................
mobile: gsm48_mm_data_ind(): check if struct gsm48_hdr fits
A similar check was recently added to gsm48_cc_data_ind().
Change-Id: Ibc5153df41e2c6365a3c65b1906d440a1074514b Related: 273d412a "mobile: gsm48_cc_data_ind(): check if struct gsm48_hdr fits" --- M src/host/layer23/src/mobile/gsm48_mm.c 1 file changed, 23 insertions(+), 3 deletions(-)
Approvals: Jenkins Builder: Verified pespin: Looks good to me, approved
diff --git a/src/host/layer23/src/mobile/gsm48_mm.c b/src/host/layer23/src/mobile/gsm48_mm.c index 16a9b07..ee457ad 100644 --- a/src/host/layer23/src/mobile/gsm48_mm.c +++ b/src/host/layer23/src/mobile/gsm48_mm.c @@ -4731,13 +4731,21 @@ struct gsm48_mmlayer *mm = &ms->mmlayer; struct gsm48_rr_hdr *rrh = (struct gsm48_rr_hdr *)msg->data; uint8_t sapi = rrh->sapi; - struct gsm48_hdr *gh = msgb_l3(msg); - uint8_t pdisc = gh->proto_discr & 0x0f; - uint8_t msg_type = gh->msg_type & 0xbf; + const struct gsm48_hdr *gh = msgb_l3(msg); + uint8_t pdisc, msg_type; int msg_supported = 0; /* determine, if message is supported at all */ uint8_t skip_ind; int i, rc;
+ if (msgb_l3len(msg) < sizeof(*gh)) { + LOGP(DMM, LOGL_INFO, "%s(): short read of msgb: %s\n", + __func__, msgb_hexdump(msg)); + return -EINVAL; + } + + pdisc = gh->proto_discr & 0x0f; + msg_type = gh->msg_type & 0xbf; + /* 9.2.19 */ if (msg_type == GSM48_MT_MM_NULL) { msgb_free(msg);