OML: fix potential OOB memory access
Use sizeof target BTS feature storage to make sure we always fit into pre-allocated memory. Also use it for log check. Change-Id: Ib107daa6e8b9bc397a10756071849f8ff82455d5 Fixes: CID 170581
This commit is contained in:
parent
c51c1e7950
commit
a60bb3dd28
|
@ -490,13 +490,13 @@ static inline uint8_t *parse_attr_resp_info_manuf_id(struct gsm_bts *bts, uint8_
|
||||||
m_id_len = MAX_BTS_FEATURES/8;
|
m_id_len = MAX_BTS_FEATURES/8;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (m_id_len > _NUM_BTS_FEAT/8 + 1)
|
if (m_id_len > sizeof(bts->_features_data))
|
||||||
LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: reported unexpectedly long (%u bytes) "
|
LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: reported unexpectedly long (%u bytes) "
|
||||||
"feature vector - most likely it was compiled against newer BSC headers. "
|
"feature vector - most likely it was compiled against newer BSC headers. "
|
||||||
"Consider upgrading your BSC to later version.\n",
|
"Consider upgrading your BSC to later version.\n",
|
||||||
bts->nr, m_id_len);
|
bts->nr, m_id_len);
|
||||||
|
|
||||||
memcpy(bts->_features_data, TLVP_VAL(&tp, NM_ATT_MANUF_ID), m_id_len);
|
memcpy(bts->_features_data, TLVP_VAL(&tp, NM_ATT_MANUF_ID), sizeof(bts->_features_data));
|
||||||
adjust = m_id_len + 3; /* adjust for parsed TL16V struct */
|
adjust = m_id_len + 3; /* adjust for parsed TL16V struct */
|
||||||
|
|
||||||
for (i = 0; i < _NUM_BTS_FEAT; i++)
|
for (i = 0; i < _NUM_BTS_FEAT; i++)
|
||||||
|
|
Loading…
Reference in New Issue