diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2019-12-09 13:55:12 +0100 |
---|---|---|
committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2019-12-09 13:55:14 +0100 |
commit | 32499b614b9453f50df806ff52a4e3d1654d0e4f (patch) | |
tree | 3b5c96090d4287767bbd2d51d14faac9052655ae | |
parent | 30f6617c799d3b8fd7ce705aa0becac40b830a50 (diff) |
pcu_l1_if: Check pag_req id_lv len fits buffer
Related: OS#4316
Change-Id: I803e1d2577a0d210e74feb5ca4c216375a5024ea
-rw-r--r-- | src/pcu_l1_if.cpp | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/pcu_l1_if.cpp b/src/pcu_l1_if.cpp index 5e22c5cc..98e697d8 100644 --- a/src/pcu_l1_if.cpp +++ b/src/pcu_l1_if.cpp @@ -19,6 +19,7 @@ #include <stdio.h> #include <unistd.h> +#include <inttypes.h> #include <stdlib.h> #include <string.h> #include <errno.h> @@ -636,6 +637,13 @@ static int pcu_rx_pag_req(struct gsm_pcu_if_pag_req *pag_req) LOGP(DL1IF, LOGL_DEBUG, "Paging request received: chan_needed=%d " "length=%d\n", pag_req->chan_needed, pag_req->identity_lv[0]); + /* check if identity does not fit: length > sizeof(lv) - 1 */ + if (pag_req->identity_lv[0] >= sizeof(pag_req->identity_lv)) { + LOGP(DL1IF, LOGL_ERROR, "Paging identity too large (%" PRIu8 ")\n", + pag_req->identity_lv[0]); + return -EINVAL; + } + return BTS::main_bts()->add_paging(pag_req->chan_needed, pag_req->identity_lv); } |