cbsp: avoid potential msgb write overflow in osmo_cbsp_recv_buffered >>> CID 273001: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "needed" to "recv", which uses it as an offset. 1444 rc = recv(fd, msg->tail, needed, 0); Fixes: Coverity CID#273001 Change-Id: I17c558254f9c7907b56d61c53c2f597e8e4566cf

commit: 8f577fbb5c2815975ebd52596187f24ce1f1af19 [log] [tgz]
author: Pau Espin Pedrol <pespin@sysmocom.de> Wed Jun 29 17:55:54 2022 +0200
committer: laforge <laforge@osmocom.org> Fri Jul 01 14:22:09 2022 +0000
tree: 4f017d6dacf8d3dcaa7120b5a40d5b858c28d474
parent: 09e5409cef7cf079d8a5c92e7b6789e48f2d5e81 [diff]
diff --git a/src/gsm/cbsp.c b/src/gsm/cbsp.c
index 2095003..a31517b 100644
--- a/src/gsm/cbsp.c
+++ b/src/gsm/cbsp.c

@@ -1441,6 +1441,10 @@
 
 	needed = len - msgb_l2len(msg);
 	if (needed > 0) {
+		if (needed > msgb_tailroom(msg)) {
+			rc = -ENOMEM;
+			goto discard_msg;
+		}
 		rc = recv(fd, msg->tail, needed, 0);
 		if (rc == 0)
 			goto discard_msg;
commit	8f577fbb5c2815975ebd52596187f24ce1f1af19	[log] [tgz]
author	Pau Espin Pedrol <pespin@sysmocom.de>	Wed Jun 29 17:55:54 2022 +0200
committer	laforge <laforge@osmocom.org>	Fri Jul 01 14:22:09 2022 +0000
tree	4f017d6dacf8d3dcaa7120b5a40d5b858c28d474
parent	09e5409cef7cf079d8a5c92e7b6789e48f2d5e81 [diff]