csn1: Properly verify CSN_BITMAP length

Change-Id: I9f7672b534f9345caff99095504749eebad25adb
author: Pau Espin Pedrol <pespin@sysmocom.de> 2020-03-26 20:29:53 +0100
committer: laforge <laforge@osmocom.org> 2020-03-30 10:08:02 +0000
commit: c8280a538a7abb8d707b308bdd00ee0442188e43 (patch)
tree: 4b6468ba10ed629b7acadd830b4cd2e6969ac1cb
parent: f5e275aec0c5a4c68cd62db838ba22ba7af7b664 (diff)
1 files changed, 16 insertions, 4 deletions
diff --git a/src/csn1.c b/src/csn1.c
index 78444bb9..b3817e39 100644
--- a/src/csn1.c
+++ b/src/csn1.c
@@ -424,6 +424,10 @@ csnStreamDecoder(csnStream_t* ar, const CSN_DESCR* pDescr, struct bitvec *vector
 
         if (no_of_bits > 0)
         {
+          if (no_of_bits > remaining_bits_len)
+          {
+            return ProcessError(readIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr);
+          }
 
           if (no_of_bits <= 32)
           {
@@ -451,7 +455,6 @@ csnStreamDecoder(csnStream_t* ar, const CSN_DESCR* pDescr, struct bitvec *vector
           }
 
           remaining_bits_len -= no_of_bits;
-          assert(remaining_bits_len >= 0);
           bit_offset += no_of_bits;
         }
         /* bitmap was successfully extracted or it was empty */
@@ -876,6 +879,10 @@ csnStreamDecoder(csnStream_t* ar, const CSN_DESCR* pDescr, struct bitvec *vector
 
             if (no_of_bits > 0)
             {
+              if (no_of_bits > remaining_bits_len)
+              {
+                return ProcessError(readIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr);
+              }
 
               if (no_of_bits <= 32)
               {
@@ -896,7 +903,6 @@ csnStreamDecoder(csnStream_t* ar, const CSN_DESCR* pDescr, struct bitvec *vector
               }
 
               remaining_bits_len -= no_of_bits;
-              assert(remaining_bits_len >= 0);
               bit_offset += no_of_bits;
             }
             /* bitmap was successfully extracted or it was empty */
@@ -1737,6 +1743,10 @@ gint16 csnStreamEncoder(csnStream_t* ar, const CSN_DESCR* pDescr, struct bitvec
 
         if (no_of_bits > 0)
         {
+          if (no_of_bits > remaining_bits_len)
+          {
+            return ProcessError(writeIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr);
+          }
 
           if (no_of_bits <= 32)
           {
@@ -1762,7 +1772,6 @@ gint16 csnStreamEncoder(csnStream_t* ar, const CSN_DESCR* pDescr, struct bitvec
           }
 
           remaining_bits_len -= no_of_bits;
-          assert(remaining_bits_len >= 0);
           bit_offset += no_of_bits;
         }
         /* bitmap was successfully extracted or it was empty */
@@ -2153,6 +2162,10 @@ gint16 csnStreamEncoder(csnStream_t* ar, const CSN_DESCR* pDescr, struct bitvec
 
             if (no_of_bits > 0)
             {
+              if (no_of_bits > remaining_bits_len)
+              {
+                return ProcessError(writeIndex, "csnStreamDecoder", CSN_ERROR_NEED_MORE_BITS_TO_UNPACK, pDescr);
+              }
 
               if (no_of_bits <= 32)
               {
@@ -2172,7 +2185,6 @@ gint16 csnStreamEncoder(csnStream_t* ar, const CSN_DESCR* pDescr, struct bitvec
               }
 
               remaining_bits_len -= no_of_bits;
-              assert(remaining_bits_len >= 0);
               bit_offset += no_of_bits;
             }
             /* bitmap was successfully extracted or it was empty */
author	Pau Espin Pedrol <pespin@sysmocom.de>	2020-03-26 20:29:53 +0100
committer	laforge <laforge@osmocom.org>	2020-03-30 10:08:02 +0000
commit	c8280a538a7abb8d707b308bdd00ee0442188e43 (patch)
tree	4b6468ba10ed629b7acadd830b4cd2e6969ac1cb
parent	f5e275aec0c5a4c68cd62db838ba22ba7af7b664 (diff)