diff options
| author | Harald Welte <laforge@gnumonks.org> | 2018-02-28 18:13:56 +0100 |
|---|---|---|
| committer | Harald Welte <laforge@gnumonks.org> | 2018-02-28 19:08:55 +0100 |
| commit | bae7af9c1362c49fa3b03b96dcfdd2fcebe43090 (patch) | |
| tree | 597b835adad0aa76d2bc69aad6f7fb27a91c3963 | |
| parent | 70a0ee56f7027d2e5738f30d62669afe1d7255a0 (diff) | |
pcu_sock: Don't overflow the timeslot array
Don't blindly trust that the ts_nr received on the PCU socket will be
small enough to not overflow our timeslot array!
Change-Id: Ie9964c8dc0ca7b049da7dfec0ac0a0d3f1aedd45
| -rw-r--r-- | src/common/pcu_sock.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/common/pcu_sock.c b/src/common/pcu_sock.c index b810174f..c8308a9c 100644 --- a/src/common/pcu_sock.c +++ b/src/common/pcu_sock.c @@ -521,6 +521,12 @@ static int pcu_rx_data_req(struct gsm_bts *bts, uint8_t msg_type, rc = -EINVAL; break; } + if (data_req->ts_nr >= ARRAY_SIZE(trx->ts)) { + LOGP(DPCU, LOGL_ERROR, "Received PCU data request with " + "not existing TS %u\n", data_req->ts_nr); + rc = -EINVAL; + break; + } ts = &trx->ts[data_req->ts_nr]; is_ptcch = (data_req->sapi == PCU_IF_SAPI_PTCCH); rc = l1sap_pdch_req(ts, is_ptcch, data_req->fn, data_req->arfcn, |