diff options
author | Vadim Yanitskiy <axilirator@gmail.com> | 2019-05-11 04:46:24 +0700 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2019-05-13 20:15:04 +0000 |
commit | 444771dae23f05294207983f723d3c8f17199f76 (patch) | |
tree | 565302a40366c38c441ac77c8a6cb9eb8da8d47e | |
parent | 18e8b39fcde77832382372ecbd98de955a132f7d (diff) |
libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer overrun
In ran_a_make_handover_request() we do prevent destination buffer
(r.encryption_information.key) overflow, but not source buffer
(n->geran.chosen_encryption->key) overrun if an incorrect key
length is received. Let's fix this.
Change-Id: I278bb72660634c2d535e1bd3d7fce5696da23575
Fixes: CID#198450 Out-of-bounds access
-rw-r--r-- | src/libmsc/ran_msg_a.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/libmsc/ran_msg_a.c b/src/libmsc/ran_msg_a.c index 21be8960e..805308c1b 100644 --- a/src/libmsc/ran_msg_a.c +++ b/src/libmsc/ran_msg_a.c @@ -1080,7 +1080,9 @@ struct msgb *ran_a_make_handover_request(struct osmo_fsm_inst *log_fi, const str /* Encryption Information */ make_encrypt_info_perm_algo(log_fi, &r.encryption_information, n->geran.a5_encryption_mask, n->classmark); if (n->geran.chosen_encryption && n->geran.chosen_encryption->key_len) { - if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key)) { + /* Prevent both source / destination buffer overrun / overflow */ + if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key) + || n->geran.chosen_encryption->key_len > sizeof(n->geran.chosen_encryption->key)) { LOG_RAN_A_ENC(log_fi, LOGL_ERROR, "Handover Request: invalid chosen encryption key size %u\n", n->geran.chosen_encryption->key_len); return NULL; |