Change in libosmocore[master]: cbsp: avoid potential msgb write overflow in osmo_cbsp_recv_buffered - gerrit-log

1 Jul 2022

laforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/28478 )
Change subject: cbsp: avoid potential msgb write overflow in osmo_cbsp_recv_buffered
......................................................................
cbsp: avoid potential msgb write overflow in osmo_cbsp_recv_buffered
...
...
...
CID 273001:  Insecure data handling  (TAINTED_SCALAR)
Passing tainted expression "needed" to "recv", which uses it as an offset.

1444                    rc = recv(fd, msg->tail, needed, 0);
Fixes: Coverity CID#273001
Change-Id: I17c558254f9c7907b56d61c53c2f597e8e4566cf
---
M src/gsm/cbsp.c
1 file changed, 4 insertions(+), 0 deletions(-)
Approvals:
  laforge: Looks good to me, approved
  fixeria: Looks good to me, but someone else must approve
  Jenkins Builder: Verified

diff --git a/src/gsm/cbsp.c b/src/gsm/cbsp.c
index 2095003..a31517b 100644
--- a/src/gsm/cbsp.c
+++ b/src/gsm/cbsp.c
@@ -1441,6 +1441,10 @@
needed = len - msgb_l2len(msg);
    if (needed > 0) {
+		if (needed > msgb_tailroom(msg)) {
+			rc = -ENOMEM;
+			goto discard_msg;
+		}
    	rc = recv(fd, msg->tail, needed, 0);
    	if (rc == 0)
    		goto discard_msg;
-- 
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/28478
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I17c558254f9c7907b56d61c53c2f597e8e4566cf
Gerrit-Change-Number: 28478
Gerrit-PatchSet: 2
Gerrit-Owner: pespin pespin@sysmocom.de
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria vyanitskiy@sysmocom.de
Gerrit-Reviewer: laforge laforge@osmocom.org
Gerrit-MessageType: merged



    