From e891d72ab87a7c99d386e12bd4d5041bcf8f3b64 Mon Sep 17 00:00:00 2001 From: Robert Falkenberg Date: Mon, 23 May 2022 10:09:03 +0200 Subject: [PATCH] lib,rlc_am_nr: fix out-of-bounds access when unpacking malformed status PDUs --- lib/src/rlc/rlc_am_nr_packing.cc | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/lib/src/rlc/rlc_am_nr_packing.cc b/lib/src/rlc/rlc_am_nr_packing.cc index b7ba0a867..ea8617fa7 100644 --- a/lib/src/rlc/rlc_am_nr_packing.cc +++ b/lib/src/rlc/rlc_am_nr_packing.cc @@ -342,6 +342,12 @@ rlc_am_nr_read_status_pdu_12bit_sn(const uint8_t* payload, const uint32_t nof_by ptr++; while (e1 != 0) { + // check buffer headroom + if (uint32_t(ptr - payload) >= nof_bytes) { + fprintf(stderr, "Malformed PDU, trying to read more bytes than it is available\n"); + return 0; + } + // E1 flag set, read a NACK_SN rlc_status_nack_t nack = {}; nack.nack_sn = (*ptr & 0xff) << 4; @@ -376,10 +382,6 @@ rlc_am_nr_read_status_pdu_12bit_sn(const uint8_t* payload, const uint32_t nof_by ptr++; } status->push_nack(nack); - if (uint32_t(ptr - payload) > nof_bytes) { - fprintf(stderr, "Malformed PDU, trying to read more bytes than it is available\n"); - return 0; - } } return SRSRAN_SUCCESS; @@ -421,6 +423,12 @@ rlc_am_nr_read_status_pdu_18bit_sn(const uint8_t* payload, const uint32_t nof_by ptr++; while (e1 != 0) { + // check buffer headroom + if (uint32_t(ptr - payload) >= nof_bytes) { + fprintf(stderr, "Malformed PDU, trying to read more bytes than it is available\n"); + return 0; + } + // E1 flag set, read a NACK_SN rlc_status_nack_t nack = {}; @@ -458,10 +466,6 @@ rlc_am_nr_read_status_pdu_18bit_sn(const uint8_t* payload, const uint32_t nof_by ptr++; } status->push_nack(nack); - if (uint32_t(ptr - payload) > nof_bytes) { - fprintf(stderr, "Malformed PDU, trying to read more bytes than it is available\n"); - return 0; - } } return SRSRAN_SUCCESS;