summaryrefslogtreecommitdiffstats
path: root/openbsc/src/libtrau
diff options
context:
space:
mode:
authorHolger Hans Peter Freyther <holger@moiji-mobile.com>2014-07-22 12:23:03 +0200
committerHolger Hans Peter Freyther <holger@moiji-mobile.com>2014-07-22 12:23:03 +0200
commit24fc435dad55d9f136bd1c846c70491cf020e73d (patch)
treec2695d6776e2568fa6bdfe60a9295580b04fa2d6 /openbsc/src/libtrau
parent94f83e1787dfaf0014963783c8602b79cad9ae2e (diff)
trau_mux.c: Prevent out-of-bounds read in trau_decode_fr()
Haralds patch in 9f109dfb9926558b6ea504dc3aee92cfd64413bd only fixed the trau_encode_fr part but the issue seems to exist in the decode function as well. Apply the same fix.
Diffstat (limited to 'openbsc/src/libtrau')
-rw-r--r--openbsc/src/libtrau/trau_mux.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/openbsc/src/libtrau/trau_mux.c b/openbsc/src/libtrau/trau_mux.c
index 4f159e4..3831a80 100644
--- a/openbsc/src/libtrau/trau_mux.c
+++ b/openbsc/src/libtrau/trau_mux.c
@@ -235,6 +235,9 @@ struct msgb *trau_decode_fr(uint32_t callref,
o = 0; /* offset input bits */
while (i < 260) {
data[j/8] |= (tf->d_bits[k+o] << (7-(j%8)));
+ /* to avoid out-of-bounds access in gsm_fr_map[++l] */
+ if (i == 259)
+ break;
if (--k < 0) {
o += gsm_fr_map[l];
k = gsm_fr_map[++l]-1;