diff options
author | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2014-07-22 12:23:03 +0200 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2014-07-22 12:23:03 +0200 |
commit | 24fc435dad55d9f136bd1c846c70491cf020e73d (patch) | |
tree | c2695d6776e2568fa6bdfe60a9295580b04fa2d6 /openbsc/src/libtrau | |
parent | 94f83e1787dfaf0014963783c8602b79cad9ae2e (diff) |
trau_mux.c: Prevent out-of-bounds read in trau_decode_fr()
Haralds patch in 9f109dfb9926558b6ea504dc3aee92cfd64413bd only fixed
the trau_encode_fr part but the issue seems to exist in the decode
function as well. Apply the same fix.
Diffstat (limited to 'openbsc/src/libtrau')
-rw-r--r-- | openbsc/src/libtrau/trau_mux.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/openbsc/src/libtrau/trau_mux.c b/openbsc/src/libtrau/trau_mux.c index 4f159e4cb..3831a80ad 100644 --- a/openbsc/src/libtrau/trau_mux.c +++ b/openbsc/src/libtrau/trau_mux.c @@ -235,6 +235,9 @@ struct msgb *trau_decode_fr(uint32_t callref, o = 0; /* offset input bits */ while (i < 260) { data[j/8] |= (tf->d_bits[k+o] << (7-(j%8))); + /* to avoid out-of-bounds access in gsm_fr_map[++l] */ + if (i == 259) + break; if (--k < 0) { o += gsm_fr_map[l]; k = gsm_fr_map[++l]-1; |