laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-bsc/+/31577 ) Change subject: abis_rsl: guard against over long IMMEDIATE ASSIGNMENT Messages ...................................................................... abis_rsl: guard against over long IMMEDIATE ASSIGNMENT Messages The length parameter in rsl_imm_assign_cmd_common() may cause a buffer overflow when it is chosen larger than GSM_MACBLOCK_LEN. Lets make sure this cannot happen. Change-Id: I9417b35fb8c0517f2555e17059bf8ac60fa59791 --- M src/osmo-bsc/abis_rsl.c 1 file changed, 22 insertions(+), 1 deletion(-) Approvals: Jenkins Builder: Verified fixeria: Looks good to me, approved laforge: Looks good to me, approved diff --git a/src/osmo-bsc/abis_rsl.c b/src/osmo-bsc/abis_rsl.c index ee2e2d3..7eb3a43 100644 --- a/src/osmo-bsc/abis_rsl.c +++ b/src/osmo-bsc/abis_rsl.c @@ -930,10 +930,18 @@ /* Chapter 8.5.6 */ struct msgb *rsl_imm_assign_cmd_common(const struct gsm_bts *bts, uint8_t len, const uint8_t *val) { - struct msgb *msg = rsl_msgb_alloc(); + struct msgb *msg; struct abis_rsl_dchan_hdr *dh; uint8_t buf[GSM_MACBLOCK_LEN]; + if (len > sizeof(buf)) { + LOGP(DRSL, LOGL_ERROR, + "Cannot send IMMEDIATE ASSIGNMENT message with excessive length (%u)\n", len); + return NULL; + } + + msg = rsl_msgb_alloc(); + dh = (struct abis_rsl_dchan_hdr *) msgb_put(msg, sizeof(*dh)); init_dchan_hdr(dh, RSL_MT_IMMEDIATE_ASSIGN_CMD); dh->chan_nr = RSL_CHAN_PCH_AGCH; -- To view, visit https://gerrit.osmocom.org/c/osmo-bsc/+/31577 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bsc Gerrit-Branch: master Gerrit-Change-Id: I9417b35fb8c0517f2555e17059bf8ac60fa59791 Gerrit-Change-Number: 31577 Gerrit-PatchSet: 6 Gerrit-Owner: dexter <pmaier(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: pespin <pespin(a)sysmocom.de> Gerrit-MessageType: merged