diff options
author | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | 2020-05-30 02:02:42 +0700 |
---|---|---|
committer | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | 2020-06-03 06:52:37 +0000 |
commit | 3a986ba3c9b8f15330dfb1020e7cae2433be2085 (patch) | |
tree | 91ee1ea9831b6e5d346da6bf9dc2fa089babb23f | |
parent | a6050088c5d1180877fda2a96cdace05a3082a25 (diff) |
abis_nm: fix: properly truncate feature vector reported by BTS
The value of the feature vector can not only be greater, but also
shorter than size of the buffer! This would potentially result
in a buffer overrun. Let's fix this.
Change-Id: I65e3228022865ea73de2e4821985df3097b9448b
-rw-r--r-- | src/osmo-bsc/abis_nm.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/osmo-bsc/abis_nm.c b/src/osmo-bsc/abis_nm.c index f60080141..db2879f51 100644 --- a/src/osmo-bsc/abis_nm.c +++ b/src/osmo-bsc/abis_nm.c @@ -571,8 +571,9 @@ static int parse_attr_resp_info_attr(struct gsm_bts *bts, const struct gsm_bts_t /* log potential BTS feature vector overflow */ if (len > sizeof(bts->_features_data)) { - LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: feature vector is truncated to %zu bytes\n", - bts->nr, sizeof(bts->_features_data)); + LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: feature vector is truncated " + "(from %u to %zu bytes)\n", bts->nr, len, sizeof(bts->_features_data)); + len = sizeof(bts->_features_data); } /* check that max. expected BTS attribute is above given feature vector length */ @@ -583,7 +584,7 @@ static int parse_attr_resp_info_attr(struct gsm_bts *bts, const struct gsm_bts_t bts->nr, len); } - memcpy(bts->_features_data, TLVP_VAL(tp, NM_ATT_MANUF_ID), sizeof(bts->_features_data)); + memcpy(bts->_features_data, TLVP_VAL(tp, NM_ATT_MANUF_ID), len); for (i = 0; i < _NUM_BTS_FEAT; i++) { if (osmo_bts_has_feature(&bts->features, i) != osmo_bts_has_feature(&bts->model->features, i)) { |