From 36ac7758386dce06f53ee8ad6bf189f79eae1fee Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Sat, 16 Jul 2011 13:38:48 +0200
Subject: ipaccess-proxy: fix array bounds problem

detected by Smatch:
/home/laforge/projects/git/openbsc/openbsc/src/ipaccess/ipaccess-proxy.c +173 store_idtags(14) error: buffer overflow 'ipbc->id_tags' 255 <= 255
/home/laforge/projects/git/openbsc/openbsc/src/ipaccess/ipaccess-proxy.c +173 store_idtags(14) error: buffer overflow 'ipbc->id_tags' 255 <= 255
/home/laforge/projects/git/openbsc/openbsc/src/ipaccess/ipaccess-proxy.c +175 store_idtags(16) error: buffer overflow 'ipbc->id_tags' 255 <= 255
/home/laforge/projects/git/openbsc/openbsc/src/ipaccess/ipaccess-proxy.c +178 store_idtags(19) error: buffer overflow 'ipbc->id_tags' 255 <= 255
/home/laforge/projects/git/openbsc/openbsc/src/ipaccess/ipaccess-proxy.c +500 ipaccess_rcvmsg(66) error: buffer overflow 'ipbc->rsl_conn' 4 <= 4
/home/laforge/projects/git/openbsc/openbsc/src/ipaccess/ipaccess-proxy.c +504 ipaccess_rcvmsg(70) error: buffer overflow 'ipbc->bsc_rsl_conn' 4
<= 4
---
 openbsc/src/ipaccess/ipaccess-proxy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'openbsc/src')

diff --git a/openbsc/src/ipaccess/ipaccess-proxy.c b/openbsc/src/ipaccess/ipaccess-proxy.c
index b4d17e2c7..21dc70c27 100644
--- a/openbsc/src/ipaccess/ipaccess-proxy.c
+++ b/openbsc/src/ipaccess/ipaccess-proxy.c
@@ -103,7 +103,7 @@ struct ipa_bts_conn {
 	uint16_t gprs_orig_port;
 	uint32_t gprs_orig_ip;
 
-	char *id_tags[0xff];
+	char *id_tags[256];
 	uint8_t *id_resp;
 	unsigned int id_resp_len;
 };
@@ -488,7 +488,7 @@ static int ipaccess_rcvmsg(struct ipa_proxy_conn *ipc, struct msgb *msg,
 				return 0;
 			}
 
-			if (trx_id > MAX_TRX) {
+			if (trx_id >= MAX_TRX) {
 				LOGP(DINP, LOGL_ERROR, "We don't support more "
 				     "than %u TRX\n", MAX_TRX);
 				return -EINVAL;
-- 
cgit v1.2.3