New subject: [openbsc 2/3] gprs_llc: Prevent llme_alloc/lle_init from reading invalid memory

27 Jun 2014

foo = *((uintXX_t *) TLVP_VAL(...) can lead to unaligned access. To
prevent that use tlvp_valXX_unal() to get the values.
---
 openbsc/src/libbsc/abis_rsl.c             | 10 +++++-----
 openbsc/src/osmo-bsc/osmo_bsc_bssap.c     |  2 +-
 openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c |  2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/openbsc/src/libbsc/abis_rsl.c b/openbsc/src/libbsc/abis_rsl.c
index 748ab7e..d193078 100644
--- a/openbsc/src/libbsc/abis_rsl.c
+++ b/openbsc/src/libbsc/abis_rsl.c
@@ -1804,20 +1804,20 @@ static void ipac_parse_rtp(struct gsm_lchan *lchan, struct tlv_parsed *tv)
    uint16_t port, conn_id;
if (TLVP_PRESENT(tv, RSL_IE_IPAC_LOCAL_IP)) {
-		ip.s_addr = *((uint32_t *) TLVP_VAL(tv, RSL_IE_IPAC_LOCAL_IP));
+		ip.s_addr = tlvp_val32_unal(tv, RSL_IE_IPAC_LOCAL_IP);
    	DEBUGPC(DRSL, "LOCAL_IP=%s ", inet_ntoa(ip));
    	lchan->abis_ip.bound_ip = ntohl(ip.s_addr);
    }
if (TLVP_PRESENT(tv, RSL_IE_IPAC_LOCAL_PORT)) {
-		port = *((uint16_t *) TLVP_VAL(tv, RSL_IE_IPAC_LOCAL_PORT));
+		port = tlvp_val16_unal(tv, RSL_IE_IPAC_LOCAL_PORT);
    	port = ntohs(port);
    	DEBUGPC(DRSL, "LOCAL_PORT=%u ", port);
    	lchan->abis_ip.bound_port = port;
    }
if (TLVP_PRESENT(tv, RSL_IE_IPAC_CONN_ID)) {
-		conn_id = *((uint16_t *) TLVP_VAL(tv, RSL_IE_IPAC_CONN_ID));
+		conn_id = tlvp_val16_unal(tv, RSL_IE_IPAC_CONN_ID);
    	conn_id = ntohs(conn_id);
    	DEBUGPC(DRSL, "CON_ID=%u ", conn_id);
    	lchan->abis_ip.conn_id = conn_id;
@@ -1838,13 +1838,13 @@ static void ipac_parse_rtp(struct gsm_lchan *lchan, struct tlv_parsed *tv)
    }
if (TLVP_PRESENT(tv, RSL_IE_IPAC_REMOTE_IP)) {
-		ip.s_addr = *((uint32_t *) TLVP_VAL(tv, RSL_IE_IPAC_REMOTE_IP));
+		ip.s_addr = tlvp_val32_unal(tv, RSL_IE_IPAC_REMOTE_IP);
    	DEBUGPC(DRSL, "REMOTE_IP=%s ", inet_ntoa(ip));
    	lchan->abis_ip.connect_ip = ntohl(ip.s_addr);
    }
if (TLVP_PRESENT(tv, RSL_IE_IPAC_REMOTE_PORT)) {
-		port = *((uint16_t *) TLVP_VAL(tv, RSL_IE_IPAC_REMOTE_PORT));
+		port = tlvp_val16_unal(tv, RSL_IE_IPAC_REMOTE_PORT);
    	port = ntohs(port);
    	DEBUGPC(DRSL, "REMOTE_PORT=%u ", port);
    	lchan->abis_ip.connect_port = port;
diff --git a/openbsc/src/osmo-bsc/osmo_bsc_bssap.c b/openbsc/src/osmo-bsc/osmo_bsc_bssap.c
index c2c2417..f58d96f 100644
--- a/openbsc/src/osmo-bsc/osmo_bsc_bssap.c
+++ b/openbsc/src/osmo-bsc/osmo_bsc_bssap.c
@@ -135,7 +135,7 @@ static int bssmap_handle_paging(struct osmo_msc_data *msc,
if (TLVP_PRESENT(&tp, GSM0808_IE_TMSI) &&
        TLVP_LEN(&tp, GSM0808_IE_TMSI) == 4) {
-		tmsi = ntohl(*(uint32_t *) TLVP_VAL(&tp, GSM0808_IE_TMSI));
+		tmsi = ntohl(tlvp_val32_unal(&tp, GSM0808_IE_TMSI));
    }
/*
diff --git a/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c b/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c
index 22b8a35..e13827b 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_mgcp_utils.c
@@ -191,7 +191,7 @@ int bsc_mgcp_assign_patch(struct nat_sccp_connection *con, struct msgb *msg)
    	return -1;
    }
-	cic = ntohs(*(uint16_t *)TLVP_VAL(&tp, GSM0808_IE_CIRCUIT_IDENTITY_CODE));
+	cic = ntohs(tlvp_val16_unal(&tp, GSM0808_IE_CIRCUIT_IDENTITY_CODE));
    timeslot = cic & 0x1f;
    multiplex = (cic & ~0x1f) >> 5;
-- 
1.8.4.2



    

[openbsc 1/3] libbsc, osmo-bsc{, _nat}: Prevent unaligned access when casting TLVP_VAL