This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Harald Welte gerrit-no-reply at lists.osmocom.orgHarald Welte has submitted this change and it was merged. ( https://gerrit.osmocom.org/13982 ) Change subject: libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer overrun ...................................................................... libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer overrun In ran_a_make_handover_request() we do prevent destination buffer (r.encryption_information.key) overflow, but not source buffer (n->geran.chosen_encryption->key) overrun if an incorrect key length is received. Let's fix this. Change-Id: I278bb72660634c2d535e1bd3d7fce5696da23575 Fixes: CID#198450 Out-of-bounds access --- M src/libmsc/ran_msg_a.c 1 file changed, 3 insertions(+), 1 deletion(-) Approvals: Harald Welte: Looks good to me, approved Jenkins Builder: Verified diff --git a/src/libmsc/ran_msg_a.c b/src/libmsc/ran_msg_a.c index 21be896..805308c 100644 --- a/src/libmsc/ran_msg_a.c +++ b/src/libmsc/ran_msg_a.c @@ -1080,7 +1080,9 @@ /* Encryption Information */ make_encrypt_info_perm_algo(log_fi, &r.encryption_information, n->geran.a5_encryption_mask, n->classmark); if (n->geran.chosen_encryption && n->geran.chosen_encryption->key_len) { - if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key)) { + /* Prevent both source / destination buffer overrun / overflow */ + if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key) + || n->geran.chosen_encryption->key_len > sizeof(n->geran.chosen_encryption->key)) { LOG_RAN_A_ENC(log_fi, LOGL_ERROR, "Handover Request: invalid chosen encryption key size %u\n", n->geran.chosen_encryption->key_len); return NULL; -- To view, visit https://gerrit.osmocom.org/13982 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-msc Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I278bb72660634c2d535e1bd3d7fce5696da23575 Gerrit-Change-Number: 13982 Gerrit-PatchSet: 4 Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com> Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org> Gerrit-Reviewer: Jenkins Builder (1000002) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190513/23ab7366/attachment.htm>