summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2018-04-16 22:55:15 +0200
committerHarald Welte <laforge@gnumonks.org>2018-04-16 22:55:15 +0200
commitf1fa4a7a9c0debd481234d2a188b1a06e440d65b (patch)
tree3e5f20456c62c06286f17b70b9f12a1da30b6b49
parent58fcc5344ea0e914c7f9be69c309998d243142bd (diff)
ipa_asp_fsm: Prevent against integer underflow
Ensure we don't pass a negative integer as "unsigned int len" to ipa_asp_fsm_wait_id_get(). This could result in a remotely-triggered integer underflow. Change-Id: Idf9a5c0938e6ae6d47bf85ddfec3306fa3ddb3ce
-rw-r--r--src/xua_asp_fsm.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/xua_asp_fsm.c b/src/xua_asp_fsm.c
index e81f0af..93c76cb 100644
--- a/src/xua_asp_fsm.c
+++ b/src/xua_asp_fsm.c
@@ -881,6 +881,11 @@ static void ipa_asp_fsm_wait_id_get(struct osmo_fsm_inst *fi, uint32_t event, vo
data_len = msgb_l2len(msg_get)-1;
LOGPFSM(fi, "Received IPA CCM IDENTITY REQUEST for IEs %s\n",
osmo_hexdump(req_data, data_len));
+ /* avoid possible unsigned integer underflow, as ipa_ccm_make_id_resp_from_req()
+ * expects an unsigned integer, and in case of a zero-length L2 message we might
+ * have data_len == -1 here */
+ if (data_len < 0)
+ data_len = 0;
/* Send ID_RESP to server */
msg_resp = ipa_ccm_make_id_resp_from_req(iafp->ipa_unit, req_data, data_len);
if (!msg_resp) {