fix a one-byte stack buffer overrun in osmo-pcu
Address sanitizer uncovered a one-byte stack overrun due to an off-by-one in the size of the 'data' buffer in pcu_l1if_tx_pch(). Fix the problem and add an assertion which triggers before the overrun can occur. Change-Id: I08a879d72fcb916f78f175612fd90467d7bdd57c Related: OS#3289
This commit is contained in:
parent
7a9c1660cc
commit
143b2da4f8
|
@ -217,7 +217,7 @@ void pcu_l1if_tx_agch(bitvec * block, int plen)
|
|||
|
||||
void pcu_l1if_tx_pch(bitvec * block, int plen, const char *imsi)
|
||||
{
|
||||
uint8_t data[23+3]; /* prefix PLEN */
|
||||
uint8_t data[3+1+23]; /* prefix PLEN */
|
||||
|
||||
/* paging group */
|
||||
if (!imsi || strlen(imsi) < 3)
|
||||
|
@ -227,6 +227,7 @@ void pcu_l1if_tx_pch(bitvec * block, int plen, const char *imsi)
|
|||
data[1] = imsi[1];
|
||||
data[2] = imsi[2];
|
||||
|
||||
OSMO_ASSERT(block->data_len <= sizeof(data) - (3+1));
|
||||
bitvec_pack(block, data + 3+1);
|
||||
data[3] = (plen << 2) | 0x01;
|
||||
pcu_tx_data_req(0, 0, PCU_IF_SAPI_PCH, 0, 0, 0, data, 23+3);
|
||||
|
|
Loading…
Reference in New Issue