pcu_l1_if: Check pag_req id_lv len fits buffer

Related: OS#4316
Change-Id: I803e1d2577a0d210e74feb5ca4c216375a5024ea

1 files changed, 8 insertions, 0 deletions

diff --git a/src/pcu_l1_if.cpp b/src/pcu_l1_if.cpp
index 5e22c5cc..98e697d8 100644
--- a/src/pcu_l1_if.cpp
+++ b/src/pcu_l1_if.cpp
@@ -19,6 +19,7 @@
 
 #include <stdio.h>
 #include <unistd.h>
+#include <inttypes.h>
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
@@ -636,6 +637,13 @@ static int pcu_rx_pag_req(struct gsm_pcu_if_pag_req *pag_req)
 	LOGP(DL1IF, LOGL_DEBUG, "Paging request received: chan_needed=%d "
 		"length=%d\n", pag_req->chan_needed, pag_req->identity_lv[0]);
 
+	/* check if identity does not fit: length > sizeof(lv) - 1 */
+	if (pag_req->identity_lv[0] >= sizeof(pag_req->identity_lv)) {
+		LOGP(DL1IF, LOGL_ERROR, "Paging identity too large (%" PRIu8 ")\n",
+			pag_req->identity_lv[0]);
+		return -EINVAL;
+	}
+
 	return BTS::main_bts()->add_paging(pag_req->chan_needed,
 						pag_req->identity_lv);
 }