diff options
author | Harald Welte <laforge@gnumonks.org> | 2018-04-16 22:55:15 +0200 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2018-04-16 22:55:15 +0200 |
commit | f1fa4a7a9c0debd481234d2a188b1a06e440d65b (patch) | |
tree | 3e5f20456c62c06286f17b70b9f12a1da30b6b49 /src/xua_asp_fsm.c | |
parent | 58fcc5344ea0e914c7f9be69c309998d243142bd (diff) |
ipa_asp_fsm: Prevent against integer underflow
Ensure we don't pass a negative integer as "unsigned int len" to
ipa_asp_fsm_wait_id_get(). This could result in a remotely-triggered
integer underflow.
Change-Id: Idf9a5c0938e6ae6d47bf85ddfec3306fa3ddb3ce
Diffstat (limited to 'src/xua_asp_fsm.c')
-rw-r--r-- | src/xua_asp_fsm.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/xua_asp_fsm.c b/src/xua_asp_fsm.c index e81f0af..93c76cb 100644 --- a/src/xua_asp_fsm.c +++ b/src/xua_asp_fsm.c @@ -881,6 +881,11 @@ static void ipa_asp_fsm_wait_id_get(struct osmo_fsm_inst *fi, uint32_t event, vo data_len = msgb_l2len(msg_get)-1; LOGPFSM(fi, "Received IPA CCM IDENTITY REQUEST for IEs %s\n", osmo_hexdump(req_data, data_len)); + /* avoid possible unsigned integer underflow, as ipa_ccm_make_id_resp_from_req() + * expects an unsigned integer, and in case of a zero-length L2 message we might + * have data_len == -1 here */ + if (data_len < 0) + data_len = 0; /* Send ID_RESP to server */ msg_resp = ipa_ccm_make_id_resp_from_req(iafp->ipa_unit, req_data, data_len); if (!msg_resp) { |