aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2018-04-16 22:53:48 +0200
committerHarald Welte <laforge@gnumonks.org>2018-04-17 12:06:52 +0000
commit0b2c0ecd5e283bb75765447724a9b1e26f6478b5 (patch)
treecb104b407e37b7d34bfcae59f27480b411f7a0f7
parent62c43c6969bf81834801372a0892eaa9dabb67a3 (diff)
prevent integer underflow in ipa_ccm_make_id_resp_from_req()
don't blindly trust the tag-length value in an IPA CCM ID GET message. This could result in a remotely-triggered integer underflow. Change-Id: I4723361e1094b358310541a7dc4c5c921c778a15
-rw-r--r--src/gsm/ipa.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/gsm/ipa.c b/src/gsm/ipa.c
index e03f6153..0c7aaad6 100644
--- a/src/gsm/ipa.c
+++ b/src/gsm/ipa.c
@@ -328,7 +328,12 @@ struct msgb *ipa_ccm_make_id_resp_from_req(const struct ipaccess_unit *dev,
ies[num_ies++] = t_tag;
cur += t_len;
- len -= t_len;
+ /* prevent any unsigned integer underflow due to somebody sending us
+ * messages with wrong length values */
+ if (len <= t_len)
+ len -= t_len;
+ else
+ len = 0;
}
return ipa_ccm_make_id_resp(dev, ies, num_ies);
}