cbsp: avoid potential msgb write overflow in osmo_cbsp_recv_buffered
>>> CID 273001: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "needed" to "recv", which uses it as an offset.
1444 rc = recv(fd, msg->tail, needed, 0);
Fixes: Coverity CID#273001
Change-Id: I17c558254f9c7907b56d61c53c2f597e8e4566cf
diff --git a/src/gsm/cbsp.c b/src/gsm/cbsp.c
index 2095003..a31517b 100644
--- a/src/gsm/cbsp.c
+++ b/src/gsm/cbsp.c
@@ -1441,6 +1441,10 @@
needed = len - msgb_l2len(msg);
if (needed > 0) {
+ if (needed > msgb_tailroom(msg)) {
+ rc = -ENOMEM;
+ goto discard_msg;
+ }
rc = recv(fd, msg->tail, needed, 0);
if (rc == 0)
goto discard_msg;