From 40db4c330e4c10e11bce9f317af0dd51b6e1e54d Mon Sep 17 00:00:00 2001
From: Philipp Maier <pmaier@sysmocom.de>
Date: Tue, 10 Jan 2023 12:49:28 +0100
Subject: [PATCH] pcu_l1_if: ignore frame numbers that exceed the valid range

osmo-bsc may send invalid frame numbers through the pcu-sock interface.
Lets make sure that incoming frame numbers do not exceed the valid
range.

Change-Id: Ib0cf1738be07733c95fc6c459a8a7c4cb2eeef26
Related: OS#5198
---
 src/pcu_l1_if.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/pcu_l1_if.cpp b/src/pcu_l1_if.cpp
index 15ae94f2..69629db9 100644
--- a/src/pcu_l1_if.cpp
+++ b/src/pcu_l1_if.cpp
@@ -40,6 +40,7 @@ extern "C" {
 #include <osmocom/gsm/protocol/gsm_04_08.h>
 #include <osmocom/gsm/gsm48_rest_octets.h>
 #include <osmocom/gsm/sysinfo.h>
+#include <osmocom/gsm/gsm0502.h>
 
 #include <nacc_fsm.h>
 }
@@ -623,6 +624,12 @@ static int pcu_rx_rach_ind(struct gprs_rlcmac_bts *bts, const struct gsm_pcu_if_
 		"qta=%d, ra=0x%02x, fn=%u, cur_fn=%d, is_11bit=%d\n", rach_ind->sapi, rach_ind->qta,
 		rach_ind->ra, rach_ind->fn, current_fn, rach_ind->is_11bit);
 
+	if (OSMO_UNLIKELY(rach_ind->fn > GSM_TDMA_HYPERFRAME - 1)) {
+		LOGP(DL1IF, LOGL_ERROR, "RACH request contains fn=%u that exceeds valid limits (0-%u) -- ignored!\n",
+		     rach_ind->fn,  GSM_TDMA_HYPERFRAME - 1);
+			return -EINVAL;
+	}
+
 	struct rach_ind_params rip = {
 		.burst_type = (enum ph_burst_type) rach_ind->burst_type,
 		.is_11bit = rach_ind->is_11bit > 0,