fix a one-byte stack buffer overrun in osmo-pcu
Address sanitizer uncovered a one-byte stack overrun due to an off-by-one in the size of the 'data' buffer in pcu_l1if_tx_pch(). Fix the problem and add an assertion which triggers before the overrun can occur. Change-Id: I08a879d72fcb916f78f175612fd90467d7bdd57c Related: OS#3289
This commit is contained in:
parent
7a9c1660cc
commit
143b2da4f8
|
@ -217,7 +217,7 @@ void pcu_l1if_tx_agch(bitvec * block, int plen)
|
||||||
|
|
||||||
void pcu_l1if_tx_pch(bitvec * block, int plen, const char *imsi)
|
void pcu_l1if_tx_pch(bitvec * block, int plen, const char *imsi)
|
||||||
{
|
{
|
||||||
uint8_t data[23+3]; /* prefix PLEN */
|
uint8_t data[3+1+23]; /* prefix PLEN */
|
||||||
|
|
||||||
/* paging group */
|
/* paging group */
|
||||||
if (!imsi || strlen(imsi) < 3)
|
if (!imsi || strlen(imsi) < 3)
|
||||||
|
@ -227,6 +227,7 @@ void pcu_l1if_tx_pch(bitvec * block, int plen, const char *imsi)
|
||||||
data[1] = imsi[1];
|
data[1] = imsi[1];
|
||||||
data[2] = imsi[2];
|
data[2] = imsi[2];
|
||||||
|
|
||||||
|
OSMO_ASSERT(block->data_len <= sizeof(data) - (3+1));
|
||||||
bitvec_pack(block, data + 3+1);
|
bitvec_pack(block, data + 3+1);
|
||||||
data[3] = (plen << 2) | 0x01;
|
data[3] = (plen << 2) | 0x01;
|
||||||
pcu_tx_data_req(0, 0, PCU_IF_SAPI_PCH, 0, 0, 0, data, 23+3);
|
pcu_tx_data_req(0, 0, PCU_IF_SAPI_PCH, 0, 0, 0, data, 23+3);
|
||||||
|
|
Loading…
Reference in New Issue