diff options
author | Harald Welte <laforge@osmocom.org> | 2020-12-03 15:36:59 +0100 |
---|---|---|
committer | Harald Welte <laforge@osmocom.org> | 2020-12-05 11:44:39 +0100 |
commit | 6c4c6f08ae13d89b375584988ed1f0556417a7cf (patch) | |
tree | 51fb5104d40ea410272d5715c95820b9f8b82949 /src/gbproxy/gb_proxy_peer.c | |
parent | fb7f8c5f0771ad65b57cfce4357805be8c673ae7 (diff) |
gb_proxy: Use TLVP_PRES_LEN instead of TLVP_PRESENT
With TLVP_PRESENT we only check if a tiven TLV/IE is present,
but don't verify that it's length matches our expectation. This can
lead to out-of-bounds reads, so let's always use TLVP_PRES_LEN.
Change-Id: I1519cff0f6b2fe77f9a91eee17e0055d9df1bce6
Diffstat (limited to 'src/gbproxy/gb_proxy_peer.c')
-rw-r--r-- | src/gbproxy/gb_proxy_peer.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/gbproxy/gb_proxy_peer.c b/src/gbproxy/gb_proxy_peer.c index ea5fe1ee1..79ea8e332 100644 --- a/src/gbproxy/gb_proxy_peer.c +++ b/src/gbproxy/gb_proxy_peer.c @@ -165,7 +165,7 @@ struct gbproxy_peer *gbproxy_peer_by_lac(struct gbproxy_config *cfg, struct gbproxy_peer *gbproxy_peer_by_bssgp_tlv(struct gbproxy_config *cfg, struct tlv_parsed *tp) { - if (TLVP_PRESENT(tp, BSSGP_IE_BVCI)) { + if (TLVP_PRES_LEN(tp, BSSGP_IE_BVCI, 2)) { uint16_t bvci; bvci = ntohs(tlvp_val16_unal(tp, BSSGP_IE_BVCI)); @@ -174,7 +174,7 @@ struct gbproxy_peer *gbproxy_peer_by_bssgp_tlv(struct gbproxy_config *cfg, } /* FIXME: this doesn't make sense, as RA can span multiple peers! */ - if (TLVP_PRESENT(tp, BSSGP_IE_ROUTEING_AREA)) { + if (TLVP_PRES_LEN(tp, BSSGP_IE_ROUTEING_AREA, 6)) { uint8_t *rai = (uint8_t *)TLVP_VAL(tp, BSSGP_IE_ROUTEING_AREA); /* Only compare LAC part, since MCC/MNC are possibly patched. * Since the LAC of different BSS must be different when @@ -183,7 +183,7 @@ struct gbproxy_peer *gbproxy_peer_by_bssgp_tlv(struct gbproxy_config *cfg, } /* FIXME: this doesn't make sense, as LA can span multiple peers! */ - if (TLVP_PRESENT(tp, BSSGP_IE_LOCATION_AREA)) { + if (TLVP_PRES_LEN(tp, BSSGP_IE_LOCATION_AREA, 5)) { uint8_t *lai = (uint8_t *)TLVP_VAL(tp, BSSGP_IE_LOCATION_AREA); return gbproxy_peer_by_lac(cfg, lai); } |