From 6c4c6f08ae13d89b375584988ed1f0556417a7cf Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Thu, 3 Dec 2020 15:36:59 +0100 Subject: gb_proxy: Use TLVP_PRES_LEN instead of TLVP_PRESENT With TLVP_PRESENT we only check if a tiven TLV/IE is present, but don't verify that it's length matches our expectation. This can lead to out-of-bounds reads, so let's always use TLVP_PRES_LEN. Change-Id: I1519cff0f6b2fe77f9a91eee17e0055d9df1bce6 --- src/gbproxy/gb_proxy_peer.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/gbproxy/gb_proxy_peer.c') diff --git a/src/gbproxy/gb_proxy_peer.c b/src/gbproxy/gb_proxy_peer.c index ea5fe1ee1..79ea8e332 100644 --- a/src/gbproxy/gb_proxy_peer.c +++ b/src/gbproxy/gb_proxy_peer.c @@ -165,7 +165,7 @@ struct gbproxy_peer *gbproxy_peer_by_lac(struct gbproxy_config *cfg, struct gbproxy_peer *gbproxy_peer_by_bssgp_tlv(struct gbproxy_config *cfg, struct tlv_parsed *tp) { - if (TLVP_PRESENT(tp, BSSGP_IE_BVCI)) { + if (TLVP_PRES_LEN(tp, BSSGP_IE_BVCI, 2)) { uint16_t bvci; bvci = ntohs(tlvp_val16_unal(tp, BSSGP_IE_BVCI)); @@ -174,7 +174,7 @@ struct gbproxy_peer *gbproxy_peer_by_bssgp_tlv(struct gbproxy_config *cfg, } /* FIXME: this doesn't make sense, as RA can span multiple peers! */ - if (TLVP_PRESENT(tp, BSSGP_IE_ROUTEING_AREA)) { + if (TLVP_PRES_LEN(tp, BSSGP_IE_ROUTEING_AREA, 6)) { uint8_t *rai = (uint8_t *)TLVP_VAL(tp, BSSGP_IE_ROUTEING_AREA); /* Only compare LAC part, since MCC/MNC are possibly patched. * Since the LAC of different BSS must be different when @@ -183,7 +183,7 @@ struct gbproxy_peer *gbproxy_peer_by_bssgp_tlv(struct gbproxy_config *cfg, } /* FIXME: this doesn't make sense, as LA can span multiple peers! */ - if (TLVP_PRESENT(tp, BSSGP_IE_LOCATION_AREA)) { + if (TLVP_PRES_LEN(tp, BSSGP_IE_LOCATION_AREA, 5)) { uint8_t *lai = (uint8_t *)TLVP_VAL(tp, BSSGP_IE_LOCATION_AREA); return gbproxy_peer_by_lac(cfg, lai); } -- cgit v1.2.3