Change in libosmo-abis[master]: input/dahdi.c: Don't simply read beyond end of msgb

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Sat Jul 4 09:24:23 UTC 2020 

laforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/19127 )

Change subject: input/dahdi.c: Don't simply read beyond end of msgb
......................................................................

input/dahdi.c: Don't simply read beyond end of msgb

Let's first add two bytes to the msgb before writing.  This way we
would assert in case there was no tailroom.  As we just added tailroom
in the previous patch of this series, we are fine

Change-Id: If84b31ea9a3fc7a6c8768918efed2822d1d58427
Closes: OS#4644
---
M src/input/dahdi.c
1 file changed, 20 insertions(+), 2 deletions(-)

Approvals:
  Jenkins Builder: Verified
  laforge: Looks good to me, approved



diff --git a/src/input/dahdi.c b/src/input/dahdi.c
index a461f27..8cebac3 100644
--- a/src/input/dahdi.c
+++ b/src/input/dahdi.c
@@ -224,7 +224,16 @@
 	struct e1inp_ts *e1i_ts = &line->ts[ts_nr-1];
 	int ret;
 
-	ret = write(bfd->fd, msg->data, msg->len + 2);
+	if (msgb_tailroom(msg) >= 2) {
+		/* two bytes of space for the FCS added by DAHDI in the kernel */
+		msgb_put(msg, 2);
+		ret = write(bfd->fd, msg->data, msg->len);
+	} else {
+		/* work-around for code that sends us messages with no tailroom (OS#4644) */
+		uint8_t buf[msg->len + 2];
+		memcpy(buf, msg->data, msg->len);
+		ret = write(bfd->fd, buf, sizeof(buf));
+	}
 	msgb_free(msg);
 	if (ret == -1)
 		handle_dahdi_exception(e1i_ts);
@@ -273,7 +282,16 @@
 	if (!msg)
 		return;
 
-	ret = write(bfd->fd, msg->data, msg->len + 2);
+	if (msgb_tailroom(msg) >= 2) {
+		/* two bytes of space for the FCS added by DAHDI in the kernel */
+		msgb_put(msg, 2);
+		ret = write(bfd->fd, msg->data, msg->len);
+	} else {
+		/* work-around for code that sends us messages with no tailroom (OS#4644) */
+		uint8_t buf[msg->len + 2];
+		memcpy(buf, msg->data, msg->len);
+		ret = write(bfd->fd, buf, sizeof(buf));
+	}
 	msgb_free(msg);
 	if (ret == -1)
 		handle_dahdi_exception(e1i_ts);

-- 
To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/19127
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmo-abis
Gerrit-Branch: master
Gerrit-Change-Id: If84b31ea9a3fc7a6c8768918efed2822d1d58427
Gerrit-Change-Number: 19127
Gerrit-PatchSet: 2
Gerrit-Owner: laforge <laforge at osmocom.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: tnt <tnt at 246tNt.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200704/284cdd22/attachment.htm>

More information about the gerrit-log mailing list