Hi all,
Attached patch fixes lengths of MS Network Capability and MS Radio Access Capability elements.
Original code was inconsistent about lengths and could lead to out of bounds write. Lengths were also inconsistent with the TS 24.008.
-- Regards, Alexander Chemeris. CEO, Fairwaves LLC / ООО УмРадио http://fairwaves.ru
On Wed, Jul 03, 2013 at 10:19:45AM +0400, Alexander Chemeris wrote:
Hi all,
Attached patch fixes lengths of MS Network Capability and MS Radio Access Capability elements.
Original code was inconsistent about lengths and could lead to out of bounds write. Lengths were also inconsistent with the TS 24.008.
Hi,
maybe add a "Fixes Coverity CID 1040714" to the commit message, or at least "found by coverity"?
the patches looks fine.
holger
Hi,
On Wed, Jul 3, 2013 at 11:08 AM, Holger Hans Peter Freyther holger@freyther.de wrote:
On Wed, Jul 03, 2013 at 10:19:45AM +0400, Alexander Chemeris wrote:
Hi all,
Attached patch fixes lengths of MS Network Capability and MS Radio Access Capability elements.
Original code was inconsistent about lengths and could lead to out of bounds write. Lengths were also inconsistent with the TS 24.008.
maybe add a "Fixes Coverity CID 1040714" to the commit message, or at least "found by coverity"?
I think it's a good idea, but it's up to you to establish the workflow. Feel free to add one of these lines to the commit message.
-- Regards, Alexander Chemeris. CEO, Fairwaves LLC / ООО УмРадио http://fairwaves.ru
On Wed, Jul 03, 2013 at 11:28:16AM +0400, Alexander Chemeris wrote:
I think it's a good idea, but it's up to you to establish the workflow. Feel free to add one of these lines to the commit message.
As long as it contains the "CID ..." it is fine. On the other hand could you please elaborate on why you picked "50"? This looks a bit too small.
"MS Radio Access capability ... LV 6 - 52" -- Table 9.4.1
"The MS RA capability is a type 4 information element, with a maximum length of 52 octets."
-- 10.5.5.12a
So if I remove one byte for the length, then the Capa can still be 51 bytes? How do you end up with 50?
holger
PS: I didn't look at the other hunk and this size
On Wed, Jul 3, 2013 at 12:14 PM, Holger Hans Peter Freyther holger@freyther.de wrote:
On the other hand could you please elaborate on why you picked "50"? This looks a bit too small.
"MS Radio Access capability ... LV 6 - 52" -- Table 9.4.1
"The MS RA capability is a type 4 information element, with a maximum length of 52 octets."
-- 10.5.5.12a
So if I remove one byte for the length, then the Capa can still be 51 bytes? How do you end up with 50?
I based my calculations on the "Figure 10.5.128a/3GPP TS 24.008 MS Radio Access Capability information element". I.e. I assumed that 52 octets are in case of TLV, i.e. including IEI and Length octets. I'm not sure why do they include IEI for Type 4 (LV) IEs - probably for consistency.
PS: I didn't look at the other hunk and this size
Same logic as above.
-- Regards, Alexander Chemeris. CEO, Fairwaves LLC / ООО УмРадио http://fairwaves.ru
On Thu, Jul 04, 2013 at 12:54:17AM +0400, Alexander Chemeris wrote:
"MS Radio Access capability ... LV 6 - 52" -- Table 9.4.1
So if I remove one byte for the length, then the Capa can still be 51 bytes? How do you end up with 50?
I based my calculations on the "Figure 10.5.128a/3GPP TS 24.008 MS Radio Access Capability information element". I.e. I assumed that 52 octets are in case of TLV, i.e. including IEI and Length octets. I'm not sure why do they include IEI for Type 4 (LV) IEs - probably for consistency.
But do you agree that if Table 9.4.1 claims that LV take up to 52 bytes that V can be either 51 or the table is wrong?
holger
On Thu, Jul 4, 2013 at 9:35 AM, Holger Hans Peter Freyther holger@freyther.de wrote:
On Thu, Jul 04, 2013 at 12:54:17AM +0400, Alexander Chemeris wrote:
"MS Radio Access capability ... LV 6 - 52" -- Table 9.4.1
So if I remove one byte for the length, then the Capa can still be 51 bytes? How do you end up with 50?
I based my calculations on the "Figure 10.5.128a/3GPP TS 24.008 MS Radio Access Capability information element". I.e. I assumed that 52 octets are in case of TLV, i.e. including IEI and Length octets. I'm not sure why do they include IEI for Type 4 (LV) IEs - probably for consistency.
But do you agree that if Table 9.4.1 claims that LV take up to 52 bytes that V can be either 51 or the table is wrong?
Which version of the document are you looking at? I have "3GPP TS 24.008 V12.2.0 (2013-06)" and in the Table 9.4.1 it claims Length to be "6 - 51", which makes exactly 50 octets max without L octet.
-- Regards, Alexander Chemeris. CEO, Fairwaves LLC / ООО УмРадио http://fairwaves.ru
On Thu, Jul 04, 2013 at 10:05:51AM +0400, Alexander Chemeris wrote:
Which version of the document are you looking at? I have "3GPP TS 24.008 V12.2.0 (2013-06)" and in the Table 9.4.1 it claims Length to be "6 - 51", which makes exactly 50 octets max without L octet.
Interesting, I have 3GPP TS 24.008 version 7.6.0 Release 7, ETSI TS 124 008 V7.6.0 (2006-12). So they have fixed/changed this in newer versions. :)
cheers holger
-
Alexander Chemeris -
Holger Hans Peter Freyther