diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2019-10-16 14:36:26 +0200 |
---|---|---|
committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2019-10-16 14:36:28 +0200 |
commit | 05bca3524a29de832f4ed455def37fa6c9fa015d (patch) | |
tree | adbc784ba786a752dfb26d013dead44e3edbfe22 /src/gprs_rlcmac.cpp | |
parent | b3b0c49d1caccd7e9e5ea513e5ccd810c7749dab (diff) |
Fix assertion hit upon CCCH Paging Request
Recent commit added an assertion to check for buffer boundaries and it
actually gets hit.
One of the 2 code paths calling pcu_l1if_tx_pch() was passing a buffer
of 23 bytes while one of maximum 22 is expected (because plen is not set
in the buffer but set inside pcu_l1if_tx_pch()).
So it seems before the assert, that code path was actually writing 1
byte outside the boundaries of data buffer, since bitvec_pack() uses
data_len field of bitvec.
Related: OS#4228
Fixes: 8dc09e73d0b361b27232526ebcd5f25cd8c7edfd
Change-Id: I84c5dfd4d5580e9d4c00ed21887cb51bd9abbd2e
Diffstat (limited to 'src/gprs_rlcmac.cpp')
-rw-r--r-- | src/gprs_rlcmac.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gprs_rlcmac.cpp b/src/gprs_rlcmac.cpp index 4d93f8f0..7a98a250 100644 --- a/src/gprs_rlcmac.cpp +++ b/src/gprs_rlcmac.cpp @@ -32,7 +32,7 @@ int gprs_rlcmac_paging_request(uint8_t *ptmsi, uint16_t ptmsi_len, const char *imsi) { LOGP(DRLCMAC, LOGL_NOTICE, "TX: [PCU -> BTS] Paging Request (CCCH)\n"); - bitvec *paging_request = bitvec_alloc(23, tall_pcu_ctx); + bitvec *paging_request = bitvec_alloc(22, tall_pcu_ctx); bitvec_unhex(paging_request, DUMMY_VEC); int plen = Encoding::write_paging_request(paging_request, ptmsi, ptmsi_len); pcu_l1if_tx_pch(paging_request, plen, (char *)imsi); |