neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmo-sccp/+/37994?usp=email ) Change subject: coverity CID#272968 CID#272939 ...................................................................... coverity CID#272968 CID#272939 properly bounds-check received value (offset) before calculating msgb_l2len(msgb) - offset. Change-Id: Ic6823cf077ef15ef1f6e209bf53384913911f93e --- M src/sccp.c 1 file changed, 7 insertions(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/libosmo-sccp refs/changes/94/37994/1 diff --git a/src/sccp.c b/src/sccp.c index 85bea6d..c348b9e 100644 --- a/src/sccp.c +++ b/src/sccp.c @@ -158,9 +158,15 @@ static int _sccp_parse_optional_data(const int offset, struct msgb *msgb, struct sccp_optional_data *data) { - uint16_t room = msgb_l2len(msgb) - offset; + uint16_t room; uint16_t read = 0; + /* sanity: make sure no optional_start value received on the wire (that callers typically pass as 'offset' + * argument) takes us past the message buffer boundaries (CID#272968 and others) */ + if (offset >= msgb_l2len(msgb)) + return 0; + + room = msgb_l2len(msgb) - offset; while (room > read) { uint8_t type = msgb->l2h[offset + read]; if (type == SCCP_PNC_END_OF_OPTIONAL) -- To view, visit https://gerrit.osmocom.org/c/libosmo-sccp/+/37994?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: libosmo-sccp Gerrit-Branch: master Gerrit-Change-Id: Ic6823cf077ef15ef1f6e209bf53384913911f93e Gerrit-Change-Number: 37994 Gerrit-PatchSet: 1 Gerrit-Owner: neels <nhofmeyr(a)sysmocom.de>