fix a one-byte stack buffer overrun in osmo-pcu

Address sanitizer uncovered a one-byte stack overrun due to an
off-by-one in the size of the 'data' buffer in pcu_l1if_tx_pch().
Fix the problem and add an assertion which triggers before the
overrun can occur.

Change-Id: I08a879d72fcb916f78f175612fd90467d7bdd57c
Related: OS#3289
This commit is contained in:
Stefan Sperling 2018-05-25 14:10:53 +02:00
parent 7a9c1660cc
commit 143b2da4f8
1 changed files with 2 additions and 1 deletions

View File

@ -217,7 +217,7 @@ void pcu_l1if_tx_agch(bitvec * block, int plen)
void pcu_l1if_tx_pch(bitvec * block, int plen, const char *imsi)
{
uint8_t data[23+3]; /* prefix PLEN */
uint8_t data[3+1+23]; /* prefix PLEN */
/* paging group */
if (!imsi || strlen(imsi) < 3)
@ -227,6 +227,7 @@ void pcu_l1if_tx_pch(bitvec * block, int plen, const char *imsi)
data[1] = imsi[1];
data[2] = imsi[2];
OSMO_ASSERT(block->data_len <= sizeof(data) - (3+1));
bitvec_pack(block, data + 3+1);
data[3] = (plen << 2) | 0x01;
pcu_tx_data_req(0, 0, PCU_IF_SAPI_PCH, 0, 0, 0, data, 23+3);