summaryrefslogtreecommitdiffstats
path: root/openbsc/src/libtrau
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2014-06-23 09:48:07 +0200
committerHarald Welte <laforge@gnumonks.org>2014-06-23 09:49:29 +0200
commit9f109dfb9926558b6ea504dc3aee92cfd64413bd (patch)
tree468c95518bc12d1faf648a49a1688677baf6b3d2 /openbsc/src/libtrau
parentdb0caf239eb4ba73d7378a1ba5a659e2cbc7891e (diff)
trau_mux.c: Prevent out-of-bounds read in trau_encode_fr()
found by -fsanitize=address the last iteration of the loop, where i == 259 and o == 260. It is read out-of-bounds but the content is never used.
Diffstat (limited to 'openbsc/src/libtrau')
-rw-r--r--openbsc/src/libtrau/trau_mux.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/openbsc/src/libtrau/trau_mux.c b/openbsc/src/libtrau/trau_mux.c
index fd1895f94..4f159e4cb 100644
--- a/openbsc/src/libtrau/trau_mux.c
+++ b/openbsc/src/libtrau/trau_mux.c
@@ -436,6 +436,9 @@ void trau_encode_fr(struct decoded_trau_frame *tf,
o = 0; /* offset output bits */
while (i < 260) {
tf->d_bits[k+o] = (data[j/8] >> (7-(j%8))) & 1;
+ /* to avoid out-of-bounds access in gsm_fr_map[++l] */
+ if (i == 259)
+ break;
if (--k < 0) {
o += gsm_fr_map[l];
k = gsm_fr_map[++l]-1;