From ff42b26520a7421a6c6c9c9cd4b88aed00453b01 Mon Sep 17 00:00:00 2001 From: Jacob Erlbeck Date: Fri, 27 Nov 2015 13:26:19 +0100 Subject: msgb: Assert len >= 0 in msgb_trim Currently msgb_trim only checks for len > data_len and returns -1 in that case, allowing the caller to fix it somehow. Using a negative length will always lead to a corrupt msgb, but this is not being checked. This commit adds a check for len < 0 and a conditional call to MSGB_ABORT. Sponsored-by: On-Waves ehf --- include/osmocom/core/msgb.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include/osmocom') diff --git a/include/osmocom/core/msgb.h b/include/osmocom/core/msgb.h index 9c99cadf..b057caa0 100644 --- a/include/osmocom/core/msgb.h +++ b/include/osmocom/core/msgb.h @@ -373,6 +373,8 @@ static inline void msgb_reserve(struct msgb *msg, int len) */ static inline int msgb_trim(struct msgb *msg, int len) { + if (len < 0) + MSGB_ABORT(msg, "Negative length is not allowed\n"); if (len > msg->data_len) return -1; -- cgit v1.2.3