RSL: check for abnormal SI2q values

Check for impossible index and count values of SI2q messages. The limit is defined in 3GPP TS 44.018 Table 10.5.2.33b.1 Change-Id: I351f8e8641a1cb9548154803da70bfde46ee180d Fixes: CID 170749
author: Max <msuraev@sysmocom.de> 2017-06-16 20:15:22 +0200
committer: Max <msuraev@sysmocom.de> 2017-06-16 20:17:37 +0200
commit: 186c6bac0758b6f94aa101e151664b0dea5d8975 (patch)
tree: fd5c5e639ba32bd5875f29ec7996b5cd75e0adfd
parent: 340cff51f49f6e798cb5fb6d1b9febdd09902906 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/common/rsl.c b/src/common/rsl.c
index bb05decf..187a2e70 100644
--- a/src/common/rsl.c
+++ b/src/common/rsl.c
@@ -315,6 +315,12 @@ static int rsl_rx_bcch_info(struct gsm_bts_trx *trx, struct msgb *msg)
 				return rsl_tx_error_report(trx, RSL_ERR_IE_CONTENT);
 			}
 
+			if (bts->si2q_index > SI2Q_MAX_NUM || bts->si2q_count > SI2Q_MAX_NUM) {
+				LOGP(DRSL, LOGL_ERROR, " Rx RSL SI2quater witn impossible parameters: index %u, count %u"
+				     "should be <= %u\n", bts->si2q_index, bts->si2q_count, SI2Q_MAX_NUM);
+				return rsl_tx_error_report(trx, RSL_ERR_IE_CONTENT);
+			}
+
 			memset(GSM_BTS_SI2Q(bts, bts->si2q_index), GSM_MACBLOCK_PADDING, sizeof(sysinfo_buf_t));
 			memcpy(GSM_BTS_SI2Q(bts, bts->si2q_index), TLVP_VAL(&tp, RSL_IE_FULL_BCCH_INFO), len);
 			break;
author	Max <msuraev@sysmocom.de>	2017-06-16 20:15:22 +0200
committer	Max <msuraev@sysmocom.de>	2017-06-16 20:17:37 +0200
commit	186c6bac0758b6f94aa101e151664b0dea5d8975 (patch)
tree	fd5c5e639ba32bd5875f29ec7996b5cd75e0adfd
parent	340cff51f49f6e798cb5fb6d1b9febdd09902906 (diff)