aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVadim Yanitskiy <vyanitskiy@sysmocom.de>2020-05-30 02:02:42 +0700
committerVadim Yanitskiy <vyanitskiy@sysmocom.de>2020-06-03 06:52:37 +0000
commit3a986ba3c9b8f15330dfb1020e7cae2433be2085 (patch)
tree91ee1ea9831b6e5d346da6bf9dc2fa089babb23f
parenta6050088c5d1180877fda2a96cdace05a3082a25 (diff)
abis_nm: fix: properly truncate feature vector reported by BTS
The value of the feature vector can not only be greater, but also shorter than size of the buffer! This would potentially result in a buffer overrun. Let's fix this. Change-Id: I65e3228022865ea73de2e4821985df3097b9448b
-rw-r--r--src/osmo-bsc/abis_nm.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/src/osmo-bsc/abis_nm.c b/src/osmo-bsc/abis_nm.c
index f60080141..db2879f51 100644
--- a/src/osmo-bsc/abis_nm.c
+++ b/src/osmo-bsc/abis_nm.c
@@ -571,8 +571,9 @@ static int parse_attr_resp_info_attr(struct gsm_bts *bts, const struct gsm_bts_t
/* log potential BTS feature vector overflow */
if (len > sizeof(bts->_features_data)) {
- LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: feature vector is truncated to %zu bytes\n",
- bts->nr, sizeof(bts->_features_data));
+ LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: feature vector is truncated "
+ "(from %u to %zu bytes)\n", bts->nr, len, sizeof(bts->_features_data));
+ len = sizeof(bts->_features_data);
}
/* check that max. expected BTS attribute is above given feature vector length */
@@ -583,7 +584,7 @@ static int parse_attr_resp_info_attr(struct gsm_bts *bts, const struct gsm_bts_t
bts->nr, len);
}
- memcpy(bts->_features_data, TLVP_VAL(tp, NM_ATT_MANUF_ID), sizeof(bts->_features_data));
+ memcpy(bts->_features_data, TLVP_VAL(tp, NM_ATT_MANUF_ID), len);
for (i = 0; i < _NUM_BTS_FEAT; i++) {
if (osmo_bts_has_feature(&bts->features, i) != osmo_bts_has_feature(&bts->model->features, i)) {