[XS] Change in libosmo-sccp[master]: coverity CID#272968 CID#272939 - gerrit-log

3 Sep 2024

neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmo-sccp/+/37994?usp=email )
Change subject: coverity CID#272968 CID#272939
......................................................................
coverity CID#272968 CID#272939
properly bounds-check received value (offset) before calculating
msgb_l2len(msgb) - offset.
Change-Id: Ic6823cf077ef15ef1f6e209bf53384913911f93e
---
M src/sccp.c
1 file changed, 7 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/libosmo-sccp refs/changes/94/37994/1

diff --git a/src/sccp.c b/src/sccp.c
index 85bea6d..c348b9e 100644
--- a/src/sccp.c
+++ b/src/sccp.c
@@ -158,9 +158,15 @@
 static int _sccp_parse_optional_data(const int offset,
    			     struct msgb *msgb, struct sccp_optional_data *data)
 {
-	uint16_t room = msgb_l2len(msgb) - offset;
+	uint16_t room;
    uint16_t read = 0;
+	/* sanity: make sure no optional_start value received on the wire (that callers typically pass as 'offset'
+	 * argument) takes us past the message buffer boundaries (CID#272968 and others) */
+	if (offset >= msgb_l2len(msgb))
+		return 0;
+
+	room = msgb_l2len(msgb) - offset;
    while (room > read) {
    	uint8_t type = msgb->l2h[offset + read];
    	if (type == SCCP_PNC_END_OF_OPTIONAL)
-- 
To view, visit https://gerrit.osmocom.org/c/libosmo-sccp/+/37994?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: newchange
Gerrit-Project: libosmo-sccp
Gerrit-Branch: master
Gerrit-Change-Id: Ic6823cf077ef15ef1f6e209bf53384913911f93e
Gerrit-Change-Number: 37994
Gerrit-PatchSet: 1
Gerrit-Owner: neels nhofmeyr@sysmocom.de



    