From 0b2c0ecd5e283bb75765447724a9b1e26f6478b5 Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Mon, 16 Apr 2018 22:53:48 +0200
Subject: prevent integer underflow in ipa_ccm_make_id_resp_from_req()

don't blindly trust the tag-length value in an IPA CCM ID GET
message.  This could result in a remotely-triggered integer underflow.

Change-Id: I4723361e1094b358310541a7dc4c5c921c778a15
---
 src/gsm/ipa.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/gsm/ipa.c b/src/gsm/ipa.c
index e03f6153..0c7aaad6 100644
--- a/src/gsm/ipa.c
+++ b/src/gsm/ipa.c
@@ -328,7 +328,12 @@ struct msgb *ipa_ccm_make_id_resp_from_req(const struct ipaccess_unit *dev,
 		ies[num_ies++] = t_tag;
 
 		cur += t_len;
-		len -= t_len;
+		/* prevent any unsigned integer underflow due to somebody sending us
+		 * messages with wrong length values */
+		if (len <= t_len)
+			len -= t_len;
+		else
+			len = 0;
 	}
 	return ipa_ccm_make_id_resp(dev, ies, num_ies);
 }
-- 
cgit v1.2.3