Change in osmo-bsc[master]: SI Type 4: prevent potential buffer overflow

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Tue Sep 8 20:19:18 UTC 2020 

laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-bsc/+/19962 )

Change subject: SI Type 4: prevent potential buffer overflow
......................................................................

SI Type 4: prevent potential buffer overflow

Make sure that in generate_si4() we do not corrupt other SI buffers
by limiting maximum length of the Mobile Allocation to 2 octets.
This would preserve at least 2 octets for the Rest Octets, what
should be enough to encode at least GPRS Indicator.

Change-Id: I2e3553865096faecda6bb22fc25b83fd47b738c4
Related: SYS#4868, OS#4545
---
M src/osmo-bsc/system_information.c
1 file changed, 3 insertions(+), 0 deletions(-)

Approvals:
  laforge: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/osmo-bsc/system_information.c b/src/osmo-bsc/system_information.c
index 2418e32..b969989 100644
--- a/src/osmo-bsc/system_information.c
+++ b/src/osmo-bsc/system_information.c
@@ -974,6 +974,9 @@
 
 		/* 10.5.2.21 (TLV) CBCH Mobile Allocation IE */
 		if (ts->hopping.enabled) {
+			/* Prevent potential buffer overflow */
+			if (ts->hopping.ma_len > 2)
+				return -ENOMEM;
 			tail = tlv_put(tail, GSM48_IE_CBCH_MOB_AL,
 				       ts->hopping.ma_len,
 				       ts->hopping.ma_data);

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-bsc/+/19962
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Change-Id: I2e3553865096faecda6bb22fc25b83fd47b738c4
Gerrit-Change-Number: 19962
Gerrit-PatchSet: 5
Gerrit-Owner: fixeria <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-CC: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200908/c498915d/attachment.htm>

More information about the gerrit-log mailing list