9 Feb
2023
9 Feb
'23
11:56 a.m.
osmith has uploaded this change for review. (
https://gerrit.osmocom.org/c/libosmocore/+/31262 )
Change subject: gsm0808_dec_channel_type: add missing len check
......................................................................
gsm0808_dec_channel_type: add missing len check
Stop iterating if the extension bit (0x80) is set but elem is too short
to read another byte.
Related: OS#4393
Change-Id: Id37109dba0f5d40f4b83f0cef9b1dbd9d6bb2c68
---
M src/gsm/gsm0808_utils.c
M tests/gsm0808/gsm0808_test.c
2 files changed, 15 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/62/31262/1
diff --git a/src/gsm/gsm0808_utils.c b/src/gsm/gsm0808_utils.c
index 9d787f2..83d2ce7 100644
--- a/src/gsm/gsm0808_utils.c
+++ b/src/gsm/gsm0808_utils.c
@@ -550,6 +550,9 @@
elem++;
for (i = 0; i < ARRAY_SIZE(ct->perm_spch); i++) {
+ if (elem - old_elem >= len)
+ return -EOVERFLOW;
+
byte = *elem;
elem++;
ct->perm_spch[i] = byte & 0x7f;
diff --git a/tests/gsm0808/gsm0808_test.c b/tests/gsm0808/gsm0808_test.c
index ab9f29b..f68d560 100644
--- a/tests/gsm0808/gsm0808_test.c
+++ b/tests/gsm0808/gsm0808_test.c
@@ -1117,6 +1117,17 @@
msgb_free(msg);
}
+static void test_gsm0808_dec_channel_type_err(void)
+{
+ struct gsm0808_channel_type ct;
+ int rc;
+
+ /* Speech: extension bit is set in last byte */
+ const uint8_t hex[] = { 0x01, 0x0b, 0xa1, 0xa5 };
+ rc = gsm0808_dec_channel_type(&ct, hex, sizeof(hex));
+ OSMO_ASSERT(rc == -EOVERFLOW);
+}
+
static void test_gsm0808_enc_dec_encrypt_info(void)
{
struct gsm0808_encrypt_info enc_ei = {
@@ -2569,6 +2580,7 @@
test_gsm0808_enc_dec_speech_codec_list();
test_gsm0808_enc_dec_empty_speech_codec_list();
test_gsm0808_enc_dec_channel_type();
+ test_gsm0808_dec_channel_type_err();
test_gsm0808_enc_dec_encrypt_info();
test_gsm0808_enc_dec_cell_id_list_lac();
--
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/31262
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: Id37109dba0f5d40f4b83f0cef9b1dbd9d6bb2c68
Gerrit-Change-Number: 31262
Gerrit-PatchSet: 1
Gerrit-Owner: osmith <osmith(a)sysmocom.de>
Gerrit-MessageType: newchange
869
days inactive
869
days old
0 comments
1 participants
participants (1)
-
osmith