Change in libosmocore[master]: gsm_7bit_encode_n(): fix integer overflow in gsm_septets2octets()

[fixeria]

fixeria has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/22544 )

Change subject: gsm_7bit_encode_n(): fix integer overflow in gsm_septets2octets()
......................................................................

gsm_7bit_encode_n(): fix integer overflow in gsm_septets2octets()

Using 'uint8_t' for the length argument is definitely a bad idea.
Because of this, packing more than 255 septets would not work as
expected.  Deprecate the old function and use 'size_t' instead.

Change-Id: Ib1aac538afeb0a5c76a1df472d555139a496e12e
---
M include/osmocom/gsm/gsm_utils.h
M src/gsm/gsm_utils.c
M src/gsm/libosmogsm.map
M tests/sms/sms_test.c
M tests/sms/sms_test.ok
5 files changed, 20 insertions(+), 15 deletions(-)

Approvals:
  Jenkins Builder: Verified
  laforge: Looks good to me, but someone else must approve
  pespin: Looks good to me, approved



diff --git a/include/osmocom/gsm/gsm_utils.h b/include/osmocom/gsm/gsm_utils.h
index de63434..0909006 100644
--- a/include/osmocom/gsm/gsm_utils.h
+++ b/include/osmocom/gsm/gsm_utils.h
@@ -110,7 +110,10 @@
 int gsm_7bit_encode_n_ussd(uint8_t *result, size_t n, const char *data, int *octets_written);
 
 /* the four functions below are helper functions and here for the unit test */
-int gsm_septets2octets(uint8_t *result, const uint8_t *rdata, uint8_t septet_len, uint8_t padding);
+int gsm_septets2octets(uint8_t *result, const uint8_t *rdata, uint8_t septet_len, uint8_t padding)
+	OSMO_DEPRECATED("This function is unable to handle more than 255 septets, "
+			"use gsm_septet_pack() instead.");
+int gsm_septet_pack(uint8_t *result, const uint8_t *rdata, size_t septet_len, uint8_t padding);
 int gsm_septet_encode(uint8_t *result, const char *data);
 uint8_t gsm_get_octet_len(const uint8_t sept_len);
 int gsm_7bit_decode_n_hdr(char *decoded, size_t n, const uint8_t *user_data, uint8_t length, uint8_t ud_hdr_ind);
diff --git a/src/gsm/gsm_utils.c b/src/gsm/gsm_utils.c
index ae77a9d..07e082d 100644
--- a/src/gsm/gsm_utils.c
+++ b/src/gsm/gsm_utils.c
@@ -324,7 +324,7 @@
  *  \param[in] septet_len Length of \a rdata
  *  \param[in] padding padding bits at start
  *  \returns number of bytes used in \a result */
-int gsm_septets2octets(uint8_t *result, const uint8_t *rdata, uint8_t septet_len, uint8_t padding)
+int gsm_septet_pack(uint8_t *result, const uint8_t *rdata, size_t septet_len, uint8_t padding)
 {
 	int i = 0, z = 0;
 	uint8_t cb, nb;
@@ -369,6 +369,12 @@
 	return z;
 }
 
+/*! Backwards compatibility wrapper for gsm_septets_pack(), deprecated. */
+int gsm_septets2octets(uint8_t *result, const uint8_t *rdata, uint8_t septet_len, uint8_t padding)
+{
+	return gsm_septet_pack(result, rdata, septet_len, padding);
+}
+
 /*! GSM 7-bit alphabet TS 03.38 6.2.1 Character packing
  *  \param[out] result Caller-provided output buffer
  *  \param[in] n Maximum length of \a result in bytes
@@ -393,7 +399,7 @@
 		y = max_septets;
 	}
 
-	o = gsm_septets2octets(result, rdata, y, 0);
+	o = gsm_septet_pack(result, rdata, y, 0);
 
 	if (octets)
 		*octets = o;
diff --git a/src/gsm/libosmogsm.map b/src/gsm/libosmogsm.map
index c314c20..584d761 100644
--- a/src/gsm/libosmogsm.map
+++ b/src/gsm/libosmogsm.map
@@ -478,6 +478,7 @@
 
 gsm_milenage;
 gsm_septet_encode;
+gsm_septet_pack;
 gsm_septets2octets;
 
 lapd_dl_exit;
diff --git a/tests/sms/sms_test.c b/tests/sms/sms_test.c
index c7f47e2..3e14529 100644
--- a/tests/sms/sms_test.c
+++ b/tests/sms/sms_test.c
@@ -384,7 +384,7 @@
 	memcpy(tmp, septet_data, concatenated_part1_septet_length);
 
 	/* In our case: test_multiple_decode[0].ud_hdr_ind equals number of padding bits*/
-	octet_length = gsm_septets2octets(coded, tmp, concatenated_part1_septet_length, test_multiple_encode[0].ud_hdr_ind);
+	octet_length = gsm_septet_pack(coded, tmp, concatenated_part1_septet_length, test_multiple_encode[0].ud_hdr_ind);
 
 	/* copy header */
 	memset(tmp, 0x42, sizeof(tmp));
@@ -402,7 +402,7 @@
 	memcpy(tmp, septet_data + concatenated_part1_septet_length, concatenated_part2_septet_length);
 
 	/* In our case: test_multiple_decode[1].ud_hdr_ind equals number of padding bits*/
-	octet_length = gsm_septets2octets(coded, tmp, concatenated_part2_septet_length, test_multiple_encode[1].ud_hdr_ind);
+	octet_length = gsm_septet_pack(coded, tmp, concatenated_part2_septet_length, test_multiple_encode[1].ud_hdr_ind);
 
 	/* copy header */
 	memset(tmp, 0x42, sizeof(tmp));
diff --git a/tests/sms/sms_test.ok b/tests/sms/sms_test.ok
index 724c166..de1fce3 100644
--- a/tests/sms/sms_test.ok
+++ b/tests/sms/sms_test.ok
@@ -21,20 +21,15 @@
 
 Running test_enc_large_msg
 gsm_7bit_encode_n(len=2048) processed 2048 septets (expected 2048): OK
-gsm_7bit_encode_n(len=2048) used 0 octets in the buffer (expected 1792): FAIL
-	Unexpected chunk at enc_buf[0:7]: 00 00 00 00 00 00 00 
+gsm_7bit_encode_n(len=2048) used 1792 octets in the buffer (expected 1792): OK
 gsm_7bit_encode_n(len=1024) processed 1024 septets (expected 1024): OK
-gsm_7bit_encode_n(len=1024) used 0 octets in the buffer (expected 896): FAIL
-	Unexpected chunk at enc_buf[0:7]: 00 00 00 00 00 00 00 
+gsm_7bit_encode_n(len=1024) used 896 octets in the buffer (expected 896): OK
 gsm_7bit_encode_n(len=555) processed 555 septets (expected 555): OK
-gsm_7bit_encode_n(len=555) used 38 octets in the buffer (expected 486): FAIL
-	Unexpected chunk at enc_buf[35:6]: c1 60 10 00 00 00 
+gsm_7bit_encode_n(len=555) used 486 octets in the buffer (expected 486): OK
 gsm_7bit_encode_n(len=512) processed 512 septets (expected 512): OK
-gsm_7bit_encode_n(len=512) used 0 octets in the buffer (expected 448): FAIL
-	Unexpected chunk at enc_buf[0:7]: 00 00 00 00 00 00 00 
+gsm_7bit_encode_n(len=512) used 448 octets in the buffer (expected 448): OK
 gsm_7bit_encode_n(len=260) processed 260 septets (expected 260): OK
-gsm_7bit_encode_n(len=260) used 4 octets in the buffer (expected 228): FAIL
-	Unexpected chunk at enc_buf[0:6]: c1 60 30 08 00 00 
+gsm_7bit_encode_n(len=260) used 228 octets in the buffer (expected 228): OK
 gsm_7bit_encode_n(len=255) processed 255 septets (expected 255): OK
 gsm_7bit_encode_n(len=255) used 224 octets in the buffer (expected 224): OK
 gsm_7bit_encode_n(len=250) processed 250 septets (expected 250): OK

-- 
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/22544
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: Ib1aac538afeb0a5c76a1df472d555139a496e12e
Gerrit-Change-Number: 22544
Gerrit-PatchSet: 3
Gerrit-Owner: fixeria <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210201/47fb4e06/attachment.htm>