This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Vadim Yanitskiy gerrit-no-reply at lists.osmocom.orgVadim Yanitskiy has submitted this change and it was merged. Change subject: gsm0480: drop messages with incorrect data length ...................................................................... gsm0480: drop messages with incorrect data length If either an INVOKE, either a RETURN_RESULT component has the data with incorrect length (see Annex A, 3GPP TS 04.80), the whole message is probably incorrect. Let's drop such messages instead of silent truncation. Change-Id: I2a169b0b84aa26ea2521edd55ff005c27ae6d808 --- M src/gsm/gsm0480.c 1 file changed, 12 insertions(+), 9 deletions(-) Approvals: Harald Welte: Looks good to me, approved Jenkins Builder: Verified diff --git a/src/gsm/gsm0480.c b/src/gsm/gsm0480.c index 38082b3..636f267 100644 --- a/src/gsm/gsm0480.c +++ b/src/gsm/gsm0480.c @@ -552,8 +552,12 @@ if (num_chars > length - 2) return 0; - if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) - num_chars = GSM0480_USSD_OCTET_STRING_LEN; + /* Drop messages with incorrect length */ + if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) { + LOGP(DLGLOBAL, LOGL_ERROR, "Incorrect USS_DATA data length=%u, " + "dropping message", num_chars); + return 0; + } memcpy(req->ussd_text, uss_req_data + 2, num_chars); @@ -588,9 +592,12 @@ /* Get the amount of bytes */ num_chars = uss_req_data[6]; - /* Prevent a mobile-originated buffer-overrun! */ - if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) - num_chars = GSM0480_USSD_OCTET_STRING_LEN; + /* Drop messages with incorrect length */ + if (num_chars > GSM0480_USSD_OCTET_STRING_LEN) { + LOGP(DLGLOBAL, LOGL_ERROR, "Incorrect USS_REQ data length=%u, " + "dropping message", num_chars); + return 0; + } /* Copy the data 'as is' */ memcpy(req->ussd_data, uss_req_data + 7, num_chars); @@ -605,10 +612,6 @@ if (dcs == 0x0F) { /* Calculate the amount of 7-bit characters */ num_chars = (num_chars * 8) / 7; - - /* Prevent a mobile-originated buffer-overrun! */ - if (num_chars > GSM0480_USSD_7BIT_STRING_LEN) - num_chars = GSM0480_USSD_7BIT_STRING_LEN; gsm_7bit_decode_n_ussd((char *)req->ussd_text, sizeof(req->ussd_text), &(uss_req_data[7]), num_chars); -- To view, visit https://gerrit.osmocom.org/7630 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: I2a169b0b84aa26ea2521edd55ff005c27ae6d808 Gerrit-PatchSet: 2 Gerrit-Project: libosmocore Gerrit-Branch: master Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com> Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: Vadim Yanitskiy <axilirator at gmail.com>