rlm_sigtran/ipaccess: heap overflow in ipaccess_read_msg — attacker-controlled length...

author Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>

Mon, 1 Jun 2026 18:56:32 +0000 (14:56 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Tue, 2 Jun 2026 17:08:11 +0000 (13:08 -0400)
author Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>
Mon, 1 Jun 2026 18:56:32 +0000 (14:56 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Tue, 2 Jun 2026 17:08:11 +0000 (13:08 -0400)
diff --git a/src/modules/rlm_sigtran/libosmo-m3ua/ipaccess.c b/src/modules/rlm_sigtran/libosmo-m3ua/ipaccess.c

index 36cad884e2b8536a925267c03682d73a2e052934..1227d3e874391893ed2791f529bec2332c149db2 100644 (file)
--- a/src/modules/rlm_sigtran/libosmo-m3ua/ipaccess.c
+++ b/src/modules/rlm_sigtran/libosmo-m3ua/ipaccess.c
@@ -113,6 +113,10 @@ struct msgb *ipaccess_read_msg(struct osmo_fd *bfd, int *error)
                 msgb_free(msg);
                 *error = ret;
                 return NULL;
+       } else if (ret < 3) {
+               msgb_free(msg);
+               *error = -EIO;
+               return NULL;
         }
  
         msgb_put(msg, ret);
@@ -120,6 +124,11 @@ struct msgb *ipaccess_read_msg(struct osmo_fd *bfd, int *error)
         /* then read the length as specified in header */
         msg->l2h = msg->data + sizeof(*hh);
         len = ntohs(hh->len);
+       if (len > TS1_ALLOC_SIZE - (int)sizeof(*hh)) {
+               msgb_free(msg);
+               *error = -EINVAL;
+               return NULL;
+       }
         ret = recv(bfd->fd, msg->l2h, len, 0);
         if (ret < len) {
                 msgb_free(msg);
author	Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>
	Mon, 1 Jun 2026 18:56:32 +0000 (14:56 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Tue, 2 Jun 2026 17:08:11 +0000 (13:08 -0400)