laforge has submitted this change. (
https://gerrit.osmocom.org/c/libosmocore/+/28478 )
Change subject: cbsp: avoid potential msgb write overflow in osmo_cbsp_recv_buffered
......................................................................
cbsp: avoid potential msgb write overflow in osmo_cbsp_recv_buffered
>> CID 273001: Insecure data handling
(TAINTED_SCALAR)
>> Passing tainted expression "needed" to "recv", which uses
it as an offset.
1444 rc = recv(fd, msg->tail, needed, 0);
Fixes: Coverity CID#273001
Change-Id: I17c558254f9c7907b56d61c53c2f597e8e4566cf
---
M src/gsm/cbsp.c
1 file changed, 4 insertions(+), 0 deletions(-)
Approvals:
laforge: Looks good to me, approved
fixeria: Looks good to me, but someone else must approve
Jenkins Builder: Verified
diff --git a/src/gsm/cbsp.c b/src/gsm/cbsp.c
index 2095003..a31517b 100644
--- a/src/gsm/cbsp.c
+++ b/src/gsm/cbsp.c
@@ -1441,6 +1441,10 @@
needed = len - msgb_l2len(msg);
if (needed > 0) {
+ if (needed > msgb_tailroom(msg)) {
+ rc = -ENOMEM;
+ goto discard_msg;
+ }
rc = recv(fd, msg->tail, needed, 0);
if (rc == 0)
goto discard_msg;
--
To view, visit
https://gerrit.osmocom.org/c/libosmocore/+/28478
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I17c558254f9c7907b56d61c53c2f597e8e4566cf
Gerrit-Change-Number: 28478
Gerrit-PatchSet: 2
Gerrit-Owner: pespin <pespin(a)sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de>
Gerrit-Reviewer: laforge <laforge(a)osmocom.org>
Gerrit-MessageType: merged