path: root/src
diff options
authorVadim Yanitskiy <>2018-10-03 06:22:16 +0700
committerVadim Yanitskiy <>2018-10-03 19:21:58 +0700
commitd02927b036ded59e746b3c4ba9d1014241145894 (patch)
tree564f74b81060abf014127e3f112492bf53faba3c /src
parent7c04a6066e883fbb14255e9adfc0056a77bf381a (diff)
layer23/l1ctl.c: fix: verify msg length using l1h, not l2h
The actual L1CTL header is pointed by 'msg->l1h', not 'l2h'! Since msg->l2h is NULL (because nobody set it), the result of msgb_l2len() would always be bigger than size of L1CTL header, as it is calculated in the following way: return msgb->tail - (uint8_t *)msgb_l2(msgb); So, in case if 'msg->l2h' is NULL, it turns into: return msgb->tail - 0; Change-Id: I7fe2e00bb45ba07c9bb7438445eededfa09c96f3
Diffstat (limited to 'src')
1 files changed, 4 insertions, 3 deletions
diff --git a/src/host/layer23/src/common/l1ctl.c b/src/host/layer23/src/common/l1ctl.c
index 9a3bc0e8..c8695ca1 100644
--- a/src/host/layer23/src/common/l1ctl.c
+++ b/src/host/layer23/src/common/l1ctl.c
@@ -874,9 +874,10 @@ int l1ctl_recv(struct osmocom_ms *ms, struct msgb *msg)
int rc = 0;
struct l1ctl_hdr *l1h;
- if (msgb_l2len(msg) < sizeof(*l1h)) {
- LOGP(DL1C, LOGL_ERROR, "Short Layer2 message: %u\n",
- msgb_l2len(msg));
+ /* Make sure a message has L1CTL header (pointed by msg->l1h) */
+ if (msgb_l1len(msg) < sizeof(*l1h)) {
+ LOGP(DL1C, LOGL_ERROR, "Short L1CTL message, "
+ "missing the header (len=%u)\n", msgb_l1len(msg));
return -1;