diff options
author | Max <msuraev@sysmocom.de> | 2017-06-12 13:45:03 +0200 |
---|---|---|
committer | Max <msuraev@sysmocom.de> | 2017-06-12 13:45:03 +0200 |
commit | a60bb3dd28ce9e3720f8ee1b262893f3e233e2e6 (patch) | |
tree | be698dbb4442c6a179eea00109466ee66beb9ce0 /openbsc/src/libbsc | |
parent | c51c1e795091ba7663a2303bda48cb12fa327c19 (diff) |
OML: fix potential OOB memory access
Use sizeof target BTS feature storage to make sure we always fit into
pre-allocated memory. Also use it for log check.
Change-Id: Ib107daa6e8b9bc397a10756071849f8ff82455d5
Fixes: CID 170581
Diffstat (limited to 'openbsc/src/libbsc')
-rw-r--r-- | openbsc/src/libbsc/abis_nm.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/openbsc/src/libbsc/abis_nm.c b/openbsc/src/libbsc/abis_nm.c index 551c0bf79..171568886 100644 --- a/openbsc/src/libbsc/abis_nm.c +++ b/openbsc/src/libbsc/abis_nm.c @@ -490,13 +490,13 @@ static inline uint8_t *parse_attr_resp_info_manuf_id(struct gsm_bts *bts, uint8_ m_id_len = MAX_BTS_FEATURES/8; } - if (m_id_len > _NUM_BTS_FEAT/8 + 1) + if (m_id_len > sizeof(bts->_features_data)) LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: reported unexpectedly long (%u bytes) " "feature vector - most likely it was compiled against newer BSC headers. " "Consider upgrading your BSC to later version.\n", bts->nr, m_id_len); - memcpy(bts->_features_data, TLVP_VAL(&tp, NM_ATT_MANUF_ID), m_id_len); + memcpy(bts->_features_data, TLVP_VAL(&tp, NM_ATT_MANUF_ID), sizeof(bts->_features_data)); adjust = m_id_len + 3; /* adjust for parsed TL16V struct */ for (i = 0; i < _NUM_BTS_FEAT; i++) |