Transceiver.cpp: prevent out-of-range array access
There was no a simple range check for both (NO)HANDOVER commands, so an out-of-range access was possible. For example, a command: CMD HANDOVER 0 -3 might enable EDGE at run-time, because: a[i] == *(a + i) Let's fix this. Change-Id: I24a5f70e8e8097f218d7cbdef8cb10df2c35416f
This commit is contained in:
parent
8c6c5d2bcd
commit
c0c6d70fe9
|
@ -727,15 +727,23 @@ void Transceiver::driveControl(size_t chan)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else if (match_cmd(command, "HANDOVER", ¶ms)) {
|
} else if (match_cmd(command, "HANDOVER", ¶ms)) {
|
||||||
int ts=0,ss=0;
|
unsigned ts = 0, ss = 0;
|
||||||
sscanf(params, "%d %d", &ts, &ss);
|
sscanf(params, "%u %u", &ts, &ss);
|
||||||
mHandover[ts][ss] = true;
|
if (ts > 7 || ss > 7) {
|
||||||
sprintf(response,"RSP HANDOVER 0 %d %d",ts,ss);
|
sprintf(response, "RSP NOHANDOVER 1 %u %u", ts, ss);
|
||||||
|
} else {
|
||||||
|
mHandover[ts][ss] = true;
|
||||||
|
sprintf(response, "RSP HANDOVER 0 %u %u", ts, ss);
|
||||||
|
}
|
||||||
} else if (match_cmd(command, "NOHANDOVER", ¶ms)) {
|
} else if (match_cmd(command, "NOHANDOVER", ¶ms)) {
|
||||||
int ts=0,ss=0;
|
unsigned ts = 0, ss = 0;
|
||||||
sscanf(params, "%d %d", &ts, &ss);
|
sscanf(params, "%u %u", &ts, &ss);
|
||||||
mHandover[ts][ss] = false;
|
if (ts > 7 || ss > 7) {
|
||||||
sprintf(response,"RSP NOHANDOVER 0 %d %d",ts,ss);
|
sprintf(response, "RSP NOHANDOVER 1 %u %u", ts, ss);
|
||||||
|
} else {
|
||||||
|
mHandover[ts][ss] = false;
|
||||||
|
sprintf(response, "RSP NOHANDOVER 0 %u %u", ts, ss);
|
||||||
|
}
|
||||||
} else if (match_cmd(command, "SETMAXDLY", ¶ms)) {
|
} else if (match_cmd(command, "SETMAXDLY", ¶ms)) {
|
||||||
//set expected maximum time-of-arrival
|
//set expected maximum time-of-arrival
|
||||||
int maxDelay;
|
int maxDelay;
|
||||||
|
|
Loading…
Reference in New Issue