Change in libosmocore[master]: Fix ipa_ccm_make_id_resp_from_req to work at all

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Thu Apr 29 16:41:13 UTC 2021 

laforge has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmocore/+/23979 )


Change subject: Fix ipa_ccm_make_id_resp_from_req to work at all
......................................................................

Fix ipa_ccm_make_id_resp_from_req to work at all

The parser was so horribly broken, it could not ever have possibly
worked.

Change-Id: Ibed0ff7f8d36504ef783f2653c9982d4e25e874f
---
M src/gsm/ipa.c
1 file changed, 8 insertions(+), 3 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/79/23979/1

diff --git a/src/gsm/ipa.c b/src/gsm/ipa.c
index fdc0bc6..7379d06 100644
--- a/src/gsm/ipa.c
+++ b/src/gsm/ipa.c
@@ -412,10 +412,14 @@
 	/* build a array of the IEIs */
 	while (len >= 2) {
 		uint8_t t_len, t_tag;
-		len -= 2;
+		len -= 2;	/* subtract the length of the two bytes read below */
 		t_len = *cur++;
 		t_tag = *cur++;
 
+		/* as the 'tag' is included in the length of t_len, this cannot happen */
+		if (t_len == 0)
+			break;
+
 		if (t_len > len + 1) {
 			LOGP(DLINP, LOGL_ERROR, "IPA CCM tag 0x%02x does not fit\n", t_tag);
 			break;
@@ -423,13 +427,14 @@
 
 		ies[num_ies++] = t_tag;
 
-		cur += t_len;
+		/* we need to subtract one from t_len to account for the tag */
+		cur += t_len-1;
 		/* prevent any unsigned integer underflow due to somebody sending us
 		 * messages with wrong length values */
 		if (len <= t_len)
 			len = 0;
 		else
-			len -= t_len;
+			len -= t_len-1;
 	}
 	return ipa_ccm_make_id_resp(dev, ies, num_ies);
 }

-- 
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/23979
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: Ibed0ff7f8d36504ef783f2653c9982d4e25e874f
Gerrit-Change-Number: 23979
Gerrit-PatchSet: 1
Gerrit-Owner: laforge <laforge at osmocom.org>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210429/5f5dda25/attachment.htm>

More information about the gerrit-log mailing list