diff options
author | Alexander Chemeris <Alexander.Chemeris@gmail.com> | 2013-07-03 10:12:23 +0400 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2013-07-04 18:34:49 +0200 |
commit | 84402c0c82e0ff9591c760485e0790cf658aef91 (patch) | |
tree | a4e39635584e40f3797c5b67bf3d038a7ff328bd /openbsc/src/gprs/gprs_gmm.c | |
parent | f0167ddfc26755ef44be5c6939b3491e3364ba36 (diff) |
sgsn: Fix lengths of MS Network Capability and MS Radio Access Capability elements.
Original code was inconsistent about lengths and could lead to out
of bounds write. Lengths were also inconsistent with the TS 24.008.
Fixes: Coverity CID 1040714.
Diffstat (limited to 'openbsc/src/gprs/gprs_gmm.c')
-rw-r--r-- | openbsc/src/gprs/gprs_gmm.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c index 72d9e764b..bb61ab50a 100644 --- a/openbsc/src/gprs/gprs_gmm.c +++ b/openbsc/src/gprs/gprs_gmm.c @@ -648,7 +648,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, /* MS network capability 10.5.5.12 */ msnc_len = *cur++; msnc = cur; - if (msnc_len > 8) + if (msnc_len > sizeof(ctx->ms_network_capa.buf)) goto err_inval; cur += msnc_len; @@ -679,7 +679,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, /* MS Radio Access Capability 10.5.5.12a */ ms_ra_acc_cap_len = *cur++; ms_ra_acc_cap = cur; - if (ms_ra_acc_cap_len > 52) + if (ms_ra_acc_cap_len > sizeof(ctx->ms_radio_access_capa.buf)) goto err_inval; cur += ms_ra_acc_cap_len; @@ -740,8 +740,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, ctx->cell_id = cid; /* Update MM Context with other data */ ctx->drx_parms = drx_par; - ctx->ms_radio_access_capa.len = OSMO_MIN(ms_ra_acc_cap_len, - sizeof((ctx->ms_radio_access_capa.buf))); + ctx->ms_radio_access_capa.len = ms_ra_acc_cap_len; memcpy(ctx->ms_radio_access_capa.buf, ms_ra_acc_cap, ctx->ms_radio_access_capa.len); ctx->ms_network_capa.len = msnc_len; |