[PATCH] libosmocore[master]: TLVP_PRESENT() should not return TRUE after tlv_parse() fails.

[Stefan Sperling]

Review at  https://gerrit.osmocom.org/5689

TLVP_PRESENT() should not return TRUE after tlv_parse() fails.

If the length provided in the patcket exceeds the buffer length,
tlv_parse() returns -2 but leaves tlv.val and tlv.len initializd.

Many callers of tlv_parse() do not check its return value, but
rely on TLVP_PRESENT() to see if a particular TLV was parsed
successfully. By clearing tlv.val and tlv.len we make it less
likely that those callers will use an overlong TLV length value.

Change-Id: I4dda6938e1650b4bcaac45809a4763f86f5a9794
---
M src/gsm/tlv_parser.c
1 file changed, 8 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/89/5689/1

diff --git a/src/gsm/tlv_parser.c b/src/gsm/tlv_parser.c
index ead856c..dcf8846 100644
--- a/src/gsm/tlv_parser.c
+++ b/src/gsm/tlv_parser.c
@@ -244,8 +244,11 @@
 		dec->lv[lv_tag].val = &buf[ofs+1];
 		dec->lv[lv_tag].len = buf[ofs];
 		len = dec->lv[lv_tag].len + 1;
-		if (ofs + len > buf_len)
+		if (ofs + len > buf_len) {
+			dec->lv[lv_tag].val = 0;
+			dec->lv[lv_tag].len = 0;
 			return -2;
+		}
 		num_parsed++;
 		ofs += len;
 	}
@@ -255,8 +258,11 @@
 		dec->lv[lv_tag2].val = &buf[ofs+1];
 		dec->lv[lv_tag2].len = buf[ofs];
 		len = dec->lv[lv_tag2].len + 1;
-		if (ofs + len > buf_len)
+		if (ofs + len > buf_len) {
+			dec->lv[lv_tag].val = 0;
+			dec->lv[lv_tag].len = 0;
 			return -2;
+		}
 		num_parsed++;
 		ofs += len;
 	}

-- 
To view, visit https://gerrit.osmocom.org/5689
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4dda6938e1650b4bcaac45809a4763f86f5a9794
Gerrit-PatchSet: 1
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Owner: Stefan Sperling <ssperling at sysmocom.de>