From a2b1c5e6f62a698e09c6386454804ad80e2ff919 Mon Sep 17 00:00:00 2001 From: Pau Espin Pedrol Date: Fri, 26 Jul 2019 14:13:14 +0200 Subject: [PATCH] Fix return variable of strtoul() Return variable specified by strtoul() is "unsigned long int". If "unsigned int" is used, according to Coverity the return value can never be ULONG_MAX: CID 202173: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "pt == 18446744073709551615UL /* 9223372036854775807L * 2UL + 1UL */" is always false regardless of the values of its operands. This occurs as the logical second operand of "&&". Furthermore, PT is 7 bit in RTP header [1], so let's avoid accepting incorrect values. [1] https://tools.ietf.org/html/rfc3550#section-5 Fixes: c5c1430a1c00ad86855ffff3df3f106bb2bce1d5 ("Catch unsigned integer MGCP parsing errors with strtoul") Fixes: Coverity CID#202172 FIxes: Coverity CID#202173 Change-Id: Ice9eee6a252fab73dbab5ebf3cfc83c1b354fd08 --- src/libosmo-mgcp-client/mgcp_client.c | 5 ++++- src/libosmo-mgcp/mgcp_sdp.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/libosmo-mgcp-client/mgcp_client.c b/src/libosmo-mgcp-client/mgcp_client.c index 910289ed2..3f8e780fa 100644 --- a/src/libosmo-mgcp-client/mgcp_client.c +++ b/src/libosmo-mgcp-client/mgcp_client.c @@ -268,7 +268,7 @@ static int mgcp_parse_audio_port_pt(struct mgcp_response *r, char *line) { char *pt_str; char *pt_end; - unsigned int pt; + unsigned long int pt; unsigned int count = 0; unsigned int i; @@ -298,6 +298,9 @@ static int mgcp_parse_audio_port_pt(struct mgcp_response *r, char *line) pt_str == pt_end) goto response_parse_failure_pt; + if (pt >> 7) /* PT is 7 bit field, higher values not allowed */ + goto response_parse_failure_pt; + /* Do not allow duplicate payload types */ for (i = 0; i < count; i++) if (r->codecs[i] == pt) diff --git a/src/libosmo-mgcp/mgcp_sdp.c b/src/libosmo-mgcp/mgcp_sdp.c index 56fc611f5..01e79688f 100644 --- a/src/libosmo-mgcp/mgcp_sdp.c +++ b/src/libosmo-mgcp/mgcp_sdp.c @@ -132,7 +132,7 @@ static int pt_from_sdp(void *ctx, struct sdp_rtp_map *codecs, char *str_ptr; char *pt_str; char *pt_end; - unsigned int pt; + unsigned long int pt; unsigned int count = 0; unsigned int i; @@ -163,6 +163,9 @@ static int pt_from_sdp(void *ctx, struct sdp_rtp_map *codecs, pt_str == pt_end) goto error; + if (pt >> 7) /* PT is 7 bit field, higher values not allowed */ + goto error; + /* Do not allow duplicate payload types */ for (i = 0; i < count; i++) if (codecs[i].payload_type == pt)