Change in osmo-msc[master]: libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer overrun

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Mon May 13 20:15:07 UTC 2019 

Harald Welte has submitted this change and it was merged. ( https://gerrit.osmocom.org/13982 )

Change subject: libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer overrun
......................................................................

libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer overrun

In ran_a_make_handover_request() we do prevent destination buffer
(r.encryption_information.key) overflow, but not source buffer
(n->geran.chosen_encryption->key) overrun if an incorrect key
length is received. Let's fix this.

Change-Id: I278bb72660634c2d535e1bd3d7fce5696da23575
Fixes: CID#198450 Out-of-bounds access
---
M src/libmsc/ran_msg_a.c
1 file changed, 3 insertions(+), 1 deletion(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/libmsc/ran_msg_a.c b/src/libmsc/ran_msg_a.c
index 21be896..805308c 100644
--- a/src/libmsc/ran_msg_a.c
+++ b/src/libmsc/ran_msg_a.c
@@ -1080,7 +1080,9 @@
 	/* Encryption Information */
 	make_encrypt_info_perm_algo(log_fi, &r.encryption_information, n->geran.a5_encryption_mask, n->classmark);
 	if (n->geran.chosen_encryption && n->geran.chosen_encryption->key_len) {
-		if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key)) {
+		/* Prevent both source / destination buffer overrun / overflow */
+		if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key)
+		    || n->geran.chosen_encryption->key_len > sizeof(n->geran.chosen_encryption->key)) {
 			LOG_RAN_A_ENC(log_fi, LOGL_ERROR, "Handover Request: invalid chosen encryption key size %u\n",
 				       n->geran.chosen_encryption->key_len);
 			return NULL;

-- 
To view, visit https://gerrit.osmocom.org/13982
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I278bb72660634c2d535e1bd3d7fce5696da23575
Gerrit-Change-Number: 13982
Gerrit-PatchSet: 4
Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder (1000002)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190513/23ab7366/attachment.htm>

More information about the gerrit-log mailing list