From d02927b036ded59e746b3c4ba9d1014241145894 Mon Sep 17 00:00:00 2001 From: Vadim Yanitskiy Date: Wed, 3 Oct 2018 06:22:16 +0700 Subject: layer23/l1ctl.c: fix: verify msg length using l1h, not l2h The actual L1CTL header is pointed by 'msg->l1h', not 'l2h'! Since msg->l2h is NULL (because nobody set it), the result of msgb_l2len() would always be bigger than size of L1CTL header, as it is calculated in the following way: return msgb->tail - (uint8_t *)msgb_l2(msgb); So, in case if 'msg->l2h' is NULL, it turns into: return msgb->tail - 0; Change-Id: I7fe2e00bb45ba07c9bb7438445eededfa09c96f3 --- src/host/layer23/src/common/l1ctl.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/host/layer23/src/common/l1ctl.c b/src/host/layer23/src/common/l1ctl.c index 9a3bc0e8..c8695ca1 100644 --- a/src/host/layer23/src/common/l1ctl.c +++ b/src/host/layer23/src/common/l1ctl.c @@ -874,9 +874,10 @@ int l1ctl_recv(struct osmocom_ms *ms, struct msgb *msg) int rc = 0; struct l1ctl_hdr *l1h; - if (msgb_l2len(msg) < sizeof(*l1h)) { - LOGP(DL1C, LOGL_ERROR, "Short Layer2 message: %u\n", - msgb_l2len(msg)); + /* Make sure a message has L1CTL header (pointed by msg->l1h) */ + if (msgb_l1len(msg) < sizeof(*l1h)) { + LOGP(DL1C, LOGL_ERROR, "Short L1CTL message, " + "missing the header (len=%u)\n", msgb_l1len(msg)); msgb_free(msg); return -1; } -- cgit v1.2.3