fixeria has submitted this change. ( https://gerrit.osmocom.org/c/osmocom-bb/+/35585?usp=email )

Change subject: mobile: gsm48_cc_data_ind(): check if struct gsm48_hdr fits ......................................................................

mobile: gsm48_cc_data_ind(): check if struct gsm48_hdr fits

Change-Id: I06c1877f603d3de0210dee7033ef163637c22054 Related: OS#4396 --- M src/host/layer23/src/mobile/gsm48_cc.c 1 file changed, 22 insertions(+), 6 deletions(-)

Approvals: jolly: Looks good to me, but someone else must approve Jenkins Builder: Verified pespin: Looks good to me, approved

diff --git a/src/host/layer23/src/mobile/gsm48_cc.c b/src/host/layer23/src/mobile/gsm48_cc.c index c3ec94b..21f68d3 100644 --- a/src/host/layer23/src/mobile/gsm48_cc.c +++ b/src/host/layer23/src/mobile/gsm48_cc.c @@ -2148,15 +2148,21 @@ static int gsm48_cc_data_ind(struct gsm_trans *trans, struct msgb *msg) { struct osmocom_ms *ms = trans->ms; - struct gsm48_hdr *gh = msgb_l3(msg); - int msg_type = gh->msg_type & 0xbf; - uint8_t transaction_id = ((gh->proto_discr & 0xf0) ^ 0x80) >> 4; - /* flip */ + const struct gsm48_hdr *gh = msgb_l3(msg); int msg_supported = 0; /* determine, if message is supported at all */ + uint8_t msg_type; int i, rc;

- /* set transaction ID, if not already */ - trans->transaction_id = transaction_id; + if (msgb_l3len(msg) < sizeof(*gh)) { + LOGP(DCC, LOGL_INFO, "%s(): short read of msgb: %s\n", + __func__, msgb_hexdump(msg)); + return -EINVAL; + } + + msg_type = gh->msg_type & 0xbf; + + /* set transaction ID (flip), if not already */ + trans->transaction_id = ((gh->proto_discr & 0xf0) ^ 0x80) >> 4;

/* pull the MMCC header */ msgb_pull(msg, sizeof(struct gsm48_mmxx_hdr));