libmsc/ran_msg_a.c: prevent chosen_encryption->key buffer overrun
In ran_a_make_handover_request() we do prevent destination buffer
(r.encryption_information.key) overflow, but not source buffer
(n->geran.chosen_encryption->key) overrun if an incorrect key
length is received. Let's fix this.
Change-Id: I278bb72660634c2d535e1bd3d7fce5696da23575
Fixes: CID#198450 Out-of-bounds access
diff --git a/src/libmsc/ran_msg_a.c b/src/libmsc/ran_msg_a.c
index 21be896..805308c 100644
--- a/src/libmsc/ran_msg_a.c
+++ b/src/libmsc/ran_msg_a.c
@@ -1080,7 +1080,9 @@
/* Encryption Information */
make_encrypt_info_perm_algo(log_fi, &r.encryption_information, n->geran.a5_encryption_mask, n->classmark);
if (n->geran.chosen_encryption && n->geran.chosen_encryption->key_len) {
- if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key)) {
+ /* Prevent both source / destination buffer overrun / overflow */
+ if (n->geran.chosen_encryption->key_len > sizeof(r.encryption_information.key)
+ || n->geran.chosen_encryption->key_len > sizeof(n->geran.chosen_encryption->key)) {
LOG_RAN_A_ENC(log_fi, LOGL_ERROR, "Handover Request: invalid chosen encryption key size %u\n",
n->geran.chosen_encryption->key_len);
return NULL;