This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
fixeria gerrit-no-reply at lists.osmocom.orgfixeria has submitted this change. ( https://gerrit.osmocom.org/c/osmo-pcu/+/18432 ) Change subject: csn1: fix csnStreamEncoder(): always check the choice index ...................................................................... csn1: fix csnStreamEncoder(): always check the choice index It's so easy to pick an out of bounds value otherwise... Change-Id: I12f5ab739b97f1f3b5d4bed1b5a4a661c879e89f --- M src/csn1.c 1 file changed, 6 insertions(+), 4 deletions(-) Approvals: Jenkins Builder: Verified laforge: Looks good to me, but someone else must approve pespin: Looks good to me, approved diff --git a/src/csn1.c b/src/csn1.c index 700c342..5b60399 100644 --- a/src/csn1.c +++ b/src/csn1.c @@ -1803,7 +1803,6 @@ case CSN_CHOICE: { gint16 count = pDescr->i; - guint8 i = 0; const CSN_ChoiceElement_t* pChoice = (const CSN_ChoiceElement_t*) pDescr->descr.ptr; /* Make sure that the list of choice items is not empty */ @@ -1812,9 +1811,12 @@ else if (count > 255) /* We can handle up to 256 (UCHAR_MAX) selectors */ return ProcessError(writeIndex, "csnStreamEncoder", CSN_ERROR_IN_SCRIPT, pDescr); - pui8 = pui8DATA(data, pDescr->offset); - i = *pui8; - pChoice += i; + /* Make sure that choice index is not out of range */ + pui8 = pui8DATA(data, pDescr->offset); + if (*pui8 >= count) + return ProcessError(writeIndex, "csnStreamEncoder", CSN_ERROR_INVALID_UNION_INDEX, pDescr); + + pChoice += *pui8; guint8 no_of_bits = pChoice->bits; guint8 value = pChoice->value; LOGPC(DCSN1, LOGL_DEBUG, "%s = %u | ", pChoice->descr.sz , (unsigned)value); -- To view, visit https://gerrit.osmocom.org/c/osmo-pcu/+/18432 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-pcu Gerrit-Branch: master Gerrit-Change-Id: I12f5ab739b97f1f3b5d4bed1b5a4a661c879e89f Gerrit-Change-Number: 18432 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <axilirator at gmail.com> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <axilirator at gmail.com> Gerrit-Reviewer: laforge <laforge at osmocom.org> Gerrit-Reviewer: pespin <pespin at sysmocom.de> Gerrit-MessageType: merged -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200525/fa20ab5c/attachment.htm>