[PATCH] osmo-bts[master]: trx: Better be safe than sorry before calling strlen

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Sun Nov 5 18:04:44 UTC 2017


Review at  https://gerrit.osmocom.org/4684

trx: Better be safe than sorry before calling strlen

There's a lot of pointer arithmetic in trx_ctrl_read_cb which is
not so nice.  While I believe the current code is safe, Coverity
raises "CID 178665:  Insecure data handling  (INTEGER_OVERFLOW)"
regardin the use of rsp_len in the strcmp().

Let's put some OSMO_ASSERT() in front and hope that makes Coverity
happy.

Change-Id: I5a9b3307f83cdde7c8e9f66932446604f5623b05
---
M src/osmo-bts-trx/trx_if.c
1 file changed, 2 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/84/4684/1

diff --git a/src/osmo-bts-trx/trx_if.c b/src/osmo-bts-trx/trx_if.c
index a41cf2c..5d8f6c4 100644
--- a/src/osmo-bts-trx/trx_if.c
+++ b/src/osmo-bts-trx/trx_if.c
@@ -391,6 +391,8 @@
 				"message '%s'\n", buf, tcm->cmd);
 			goto rsp_error;
 		}
+		OSMO_ASSERT(strlen(buf+4) >= rsp_len);
+		OSMO_ASSERT(strlen(tcm->cmd+4) >= rsp_len);
 		if (!!strncmp(buf + 4, tcm->cmd + 4, rsp_len))
 			goto notmatch;
 

-- 
To view, visit https://gerrit.osmocom.org/4684
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I5a9b3307f83cdde7c8e9f66932446604f5623b05
Gerrit-PatchSet: 1
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <laforge at gnumonks.org>



More information about the gerrit-log mailing list