This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.
Jacob Erlbeck jerlbeck at sysmocom.deCurrently msgb_trim only checks for len > data_len and returns -1 in that case, allowing the caller to fix it somehow. Using a negative length will always lead to a corrupt msgb, but this is not being checked. This commit adds a check for len < 0 and a conditional call to MSGB_ABORT. Sponsored-by: On-Waves ehf --- include/osmocom/core/msgb.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/osmocom/core/msgb.h b/include/osmocom/core/msgb.h index 9c99cad..b057caa 100644 --- a/include/osmocom/core/msgb.h +++ b/include/osmocom/core/msgb.h @@ -373,6 +373,8 @@ static inline void msgb_reserve(struct msgb *msg, int len) */ static inline int msgb_trim(struct msgb *msg, int len) { + if (len < 0) + MSGB_ABORT(msg, "Negative length is not allowed\n"); if (len > msg->data_len) return -1; -- 1.9.1