diff options
author | Vadim Yanitskiy <axilirator@gmail.com> | 2018-10-03 06:22:16 +0700 |
---|---|---|
committer | Vadim Yanitskiy <axilirator@gmail.com> | 2018-10-03 19:21:58 +0700 |
commit | d02927b036ded59e746b3c4ba9d1014241145894 (patch) | |
tree | 564f74b81060abf014127e3f112492bf53faba3c /src/host/layer23/src/common/l1ctl.c | |
parent | 7c04a6066e883fbb14255e9adfc0056a77bf381a (diff) |
layer23/l1ctl.c: fix: verify msg length using l1h, not l2h
The actual L1CTL header is pointed by 'msg->l1h', not 'l2h'!
Since msg->l2h is NULL (because nobody set it), the result of
msgb_l2len() would always be bigger than size of L1CTL header,
as it is calculated in the following way:
return msgb->tail - (uint8_t *)msgb_l2(msgb);
So, in case if 'msg->l2h' is NULL, it turns into:
return msgb->tail - 0;
Change-Id: I7fe2e00bb45ba07c9bb7438445eededfa09c96f3
Diffstat (limited to 'src/host/layer23/src/common/l1ctl.c')
-rw-r--r-- | src/host/layer23/src/common/l1ctl.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/host/layer23/src/common/l1ctl.c b/src/host/layer23/src/common/l1ctl.c index 9a3bc0e8..c8695ca1 100644 --- a/src/host/layer23/src/common/l1ctl.c +++ b/src/host/layer23/src/common/l1ctl.c @@ -874,9 +874,10 @@ int l1ctl_recv(struct osmocom_ms *ms, struct msgb *msg) int rc = 0; struct l1ctl_hdr *l1h; - if (msgb_l2len(msg) < sizeof(*l1h)) { - LOGP(DL1C, LOGL_ERROR, "Short Layer2 message: %u\n", - msgb_l2len(msg)); + /* Make sure a message has L1CTL header (pointed by msg->l1h) */ + if (msgb_l1len(msg) < sizeof(*l1h)) { + LOGP(DL1C, LOGL_ERROR, "Short L1CTL message, " + "missing the header (len=%u)\n", msgb_l1len(msg)); msgb_free(msg); return -1; } |