From 24fc435dad55d9f136bd1c846c70491cf020e73d Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Tue, 22 Jul 2014 12:23:03 +0200 Subject: trau_mux.c: Prevent out-of-bounds read in trau_decode_fr() Haralds patch in 9f109dfb9926558b6ea504dc3aee92cfd64413bd only fixed the trau_encode_fr part but the issue seems to exist in the decode function as well. Apply the same fix. --- openbsc/src/libtrau/trau_mux.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openbsc/src/libtrau/trau_mux.c b/openbsc/src/libtrau/trau_mux.c index 4f159e4cb..3831a80ad 100644 --- a/openbsc/src/libtrau/trau_mux.c +++ b/openbsc/src/libtrau/trau_mux.c @@ -235,6 +235,9 @@ struct msgb *trau_decode_fr(uint32_t callref, o = 0; /* offset input bits */ while (i < 260) { data[j/8] |= (tf->d_bits[k+o] << (7-(j%8))); + /* to avoid out-of-bounds access in gsm_fr_map[++l] */ + if (i == 259) + break; if (--k < 0) { o += gsm_fr_map[l]; k = gsm_fr_map[++l]-1; -- cgit v1.2.3