laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-bsc/+/31577 )

Change subject: abis_rsl: guard against over long IMMEDIATE ASSIGNMENT Messages ......................................................................

abis_rsl: guard against over long IMMEDIATE ASSIGNMENT Messages

The length parameter in rsl_imm_assign_cmd_common() may cause a buffer overflow when it is chosen larger than GSM_MACBLOCK_LEN. Lets make sure this cannot happen.

Change-Id: I9417b35fb8c0517f2555e17059bf8ac60fa59791 --- M src/osmo-bsc/abis_rsl.c 1 file changed, 22 insertions(+), 1 deletion(-)

Approvals: Jenkins Builder: Verified fixeria: Looks good to me, approved laforge: Looks good to me, approved

diff --git a/src/osmo-bsc/abis_rsl.c b/src/osmo-bsc/abis_rsl.c index ee2e2d3..7eb3a43 100644 --- a/src/osmo-bsc/abis_rsl.c +++ b/src/osmo-bsc/abis_rsl.c @@ -930,10 +930,18 @@ /* Chapter 8.5.6 */ struct msgb *rsl_imm_assign_cmd_common(const struct gsm_bts *bts, uint8_t len, const uint8_t *val) { - struct msgb *msg = rsl_msgb_alloc(); + struct msgb *msg; struct abis_rsl_dchan_hdr *dh; uint8_t buf[GSM_MACBLOCK_LEN];

+ if (len > sizeof(buf)) { + LOGP(DRSL, LOGL_ERROR, + "Cannot send IMMEDIATE ASSIGNMENT message with excessive length (%u)\n", len); + return NULL; + } + + msg = rsl_msgb_alloc(); + dh = (struct abis_rsl_dchan_hdr *) msgb_put(msg, sizeof(*dh)); init_dchan_hdr(dh, RSL_MT_IMMEDIATE_ASSIGN_CMD); dh->chan_nr = RSL_CHAN_PCH_AGCH;