diff options
| author | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | 2020-05-30 02:02:42 +0700 |
|---|---|---|
| committer | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | 2020-06-03 06:52:37 +0000 |
| commit | 3a986ba3c9b8f15330dfb1020e7cae2433be2085 (patch) | |
| tree | 91ee1ea9831b6e5d346da6bf9dc2fa089babb23f /src/osmo-bsc/abis_nm.c | |
| parent | a6050088c5d1180877fda2a96cdace05a3082a25 (diff) | |
abis_nm: fix: properly truncate feature vector reported by BTS
The value of the feature vector can not only be greater, but also
shorter than size of the buffer! This would potentially result
in a buffer overrun. Let's fix this.
Change-Id: I65e3228022865ea73de2e4821985df3097b9448b
Diffstat (limited to 'src/osmo-bsc/abis_nm.c')
| -rw-r--r-- | src/osmo-bsc/abis_nm.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/osmo-bsc/abis_nm.c b/src/osmo-bsc/abis_nm.c index f60080141..db2879f51 100644 --- a/src/osmo-bsc/abis_nm.c +++ b/src/osmo-bsc/abis_nm.c @@ -571,8 +571,9 @@ static int parse_attr_resp_info_attr(struct gsm_bts *bts, const struct gsm_bts_t /* log potential BTS feature vector overflow */ if (len > sizeof(bts->_features_data)) { - LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: feature vector is truncated to %zu bytes\n", - bts->nr, sizeof(bts->_features_data)); + LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: feature vector is truncated " + "(from %u to %zu bytes)\n", bts->nr, len, sizeof(bts->_features_data)); + len = sizeof(bts->_features_data); } /* check that max. expected BTS attribute is above given feature vector length */ @@ -583,7 +584,7 @@ static int parse_attr_resp_info_attr(struct gsm_bts *bts, const struct gsm_bts_t bts->nr, len); } - memcpy(bts->_features_data, TLVP_VAL(tp, NM_ATT_MANUF_ID), sizeof(bts->_features_data)); + memcpy(bts->_features_data, TLVP_VAL(tp, NM_ATT_MANUF_ID), len); for (i = 0; i < _NUM_BTS_FEAT; i++) { if (osmo_bts_has_feature(&bts->features, i) != osmo_bts_has_feature(&bts->model->features, i)) { |