From c0ac4e37c90149785b6fa77a59bb609a46474582 Mon Sep 17 00:00:00 2001
From: Neels Hofmeyr <neels@hofmeyr.de>
Date: Mon, 14 Sep 2020 00:20:24 +0200
Subject: bitXXgen: ensure not reading/storing past valid size

Add OSMO_ASSERT()s to ensure bounds checking.

For example, for osmo_store32le_ext(), passing n > 5 would read past the end of
the uint32_t. Similarly, osmo_load32le_ext() for n > 4 would write past the
uint32_t's end.

Change-Id: I2dc21582cd8a679b6624cefbc0c1678b093a3d08
---
 include/osmocom/core/bitXXgen.h.tpl | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/include/osmocom/core/bitXXgen.h.tpl b/include/osmocom/core/bitXXgen.h.tpl
index 6881d87d..7e0ecd7f 100644
--- a/include/osmocom/core/bitXXgen.h.tpl
+++ b/include/osmocom/core/bitXXgen.h.tpl
@@ -22,6 +22,8 @@
 
 #pragma once
 
+#include <osmocom/core/utils.h>
+
 /*! load unaligned n-byte integer (little-endian encoding) into uintXX_t
  *  \param[in] p Buffer where integer is stored
  *  \param[in] n Number of bytes stored in p
@@ -32,6 +34,7 @@ static inline uintXX_t osmo_loadXXle_ext(const void *p, uint8_t n)
 	uint8_t i;
 	uintXX_t r = 0;
 	const uint8_t *q = (uint8_t *)p;
+	OSMO_ASSERT(n <= sizeof(r));
 	for(i = 0; i < n; r |= ((uintXX_t)q[i] << (8 * i)), i++);
 	return r;
 }
@@ -46,6 +49,7 @@ static inline uintXX_t osmo_loadXXbe_ext(const void *p, uint8_t n)
 	uint8_t i;
 	uintXX_t r = 0;
 	const uint8_t *q = (uint8_t *)p;
+	OSMO_ASSERT(n <= sizeof(r));
 	for(i = 0; i < n; r |= ((uintXX_t)q[i] << (XX - 8* (1 + i))), i++);
 	return r;
 }
@@ -60,6 +64,7 @@ static inline void osmo_storeXXle_ext(uintXX_t x, void *p, uint8_t n)
 {
 	uint8_t i;
 	uint8_t *q = (uint8_t *)p;
+	OSMO_ASSERT(n <= sizeof(x));
 	for(i = 0; i < n; q[i] = (x >> i * 8) & 0xFF, i++);
 }
 
@@ -72,6 +77,7 @@ static inline void osmo_storeXXbe_ext(uintXX_t x, void *p, uint8_t n)
 {
 	uint8_t i;
 	uint8_t *q = (uint8_t *)p;
+	OSMO_ASSERT(n <= sizeof(x));
 	for(i = 0; i < n; q[i] = (x >> ((n - 1 - i) * 8)) & 0xFF, i++);
 }
 
-- 
cgit v1.2.3