diff options
authorPhilipp Maier <pmaier@sysmocom.de>2018-05-28 17:35:03 +0200
committerPhilipp Maier <pmaier@sysmocom.de>2018-05-28 17:48:19 +0200
commit0d95ca59f98defc38475442d220618212813994a (patch)
parent906c2099da1ca2e7dabac518816b890797f06657 (diff)
ggsn: fix misinterpreted length field in ipcp_contains_option()
The abort condition of the while loop in ipcp_contains_option() is accessing ipcp->len directly. Unfortunately this field is an uint16_t which as to be interpreted as little endian value. If it is used without prior conversion the value may appear larger than actually intended and the loop will then not stop at the end of end of the buffer. This can cause unpredictable results when the value given with the parameter enum ipcp_options opt is not found. The loop will then eventually cause a segmentation fauld or is likely to hang as soon as cur_opt->len points to a zero byte in memory. - Make sure that ipcp->len interpreted correctly by accessing it through ntohs() Change-Id: Icffde89f9bc5d8fcadf6e2dd6c0b4de03440edd5 Related: OS#3288
1 files changed, 1 insertions, 1 deletions
diff --git a/ggsn/ggsn.c b/ggsn/ggsn.c
index 72bf61c..3a8c4be 100644
--- a/ggsn/ggsn.c
+++ b/ggsn/ggsn.c
@@ -418,7 +418,7 @@ static struct ipcp_option_hdr *ipcp_contains_option(struct ipcp_hdr *ipcp, enum
uint8_t *cur = ipcp->options;
/* iterate over Options and check if protocol contained */
- while (cur + 2 <= ((uint8_t *)ipcp) + ipcp->len) {
+ while (cur + 2 <= ((uint8_t *)ipcp) + ntohs(ipcp->len)) {
struct ipcp_option_hdr *cur_opt = (struct ipcp_option_hdr *) cur;
if (cur_opt->type == opt)
return cur_opt;