diff options
author | Harald Welte <laforge@gnumonks.org> | 2018-01-22 01:49:02 +0100 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2018-01-23 17:03:05 +0000 |
commit | 5718429ec99f185efe2e733463700b8997f66b61 (patch) | |
tree | c8a9d2b912dce7fe877466a95b1c57a229698f78 /src/libmsc/mncc_sock.c | |
parent | 3b26f3495054196d42ac94fe4683aa94564807d8 (diff) |
MNCC: Add input validation
There appears to have been no input validation whatsoever on MNCC
messages. Hence it was very easy for an external MNCC handler to
crash OsmoMSC, such as in OS#2853
Change-Id: Idaf3b8e409c84564b1eb26d01a19c605f89b14f4
Closes: OS#2853
Diffstat (limited to 'src/libmsc/mncc_sock.c')
-rw-r--r-- | src/libmsc/mncc_sock.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/libmsc/mncc_sock.c b/src/libmsc/mncc_sock.c index b6b1bc9d9..14613ca2c 100644 --- a/src/libmsc/mncc_sock.c +++ b/src/libmsc/mncc_sock.c @@ -123,8 +123,11 @@ static int mncc_sock_read(struct osmo_fd *bfd) return 0; goto close; } + msgb_put(msg, rc); - rc = mncc_tx_to_cc(state->net, mncc_prim->msg_type, mncc_prim); + rc = mncc_prim_check(mncc_prim, rc); + if (rc == 0) + rc = mncc_tx_to_cc(state->net, mncc_prim->msg_type, mncc_prim); /* as we always synchronously process the message in mncc_send() and * its callbacks, we can free the message here. */ |