diff options
author | Stefan Sperling <ssperling@sysmocom.de> | 2018-05-25 14:10:53 +0200 |
---|---|---|
committer | Stefan Sperling <ssperling@sysmocom.de> | 2018-05-25 15:19:50 +0200 |
commit | 143b2da4f846acdcfccc9f1038d25f8a244a47de (patch) | |
tree | 0f2f8cb507e966e31ea819721ae42e51033f250d /src/pcu_l1_if.cpp | |
parent | 7a9c1660cc46d1adcd26a234da2ecbfb07cd5719 (diff) |
fix a one-byte stack buffer overrun in osmo-pcu
Address sanitizer uncovered a one-byte stack overrun due to an
off-by-one in the size of the 'data' buffer in pcu_l1if_tx_pch().
Fix the problem and add an assertion which triggers before the
overrun can occur.
Change-Id: I08a879d72fcb916f78f175612fd90467d7bdd57c
Related: OS#3289
Diffstat (limited to 'src/pcu_l1_if.cpp')
-rw-r--r-- | src/pcu_l1_if.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/pcu_l1_if.cpp b/src/pcu_l1_if.cpp index 4b547074..27e86dd5 100644 --- a/src/pcu_l1_if.cpp +++ b/src/pcu_l1_if.cpp @@ -217,7 +217,7 @@ void pcu_l1if_tx_agch(bitvec * block, int plen) void pcu_l1if_tx_pch(bitvec * block, int plen, const char *imsi) { - uint8_t data[23+3]; /* prefix PLEN */ + uint8_t data[3+1+23]; /* prefix PLEN */ /* paging group */ if (!imsi || strlen(imsi) < 3) @@ -227,6 +227,7 @@ void pcu_l1if_tx_pch(bitvec * block, int plen, const char *imsi) data[1] = imsi[1]; data[2] = imsi[2]; + OSMO_ASSERT(block->data_len <= sizeof(data) - (3+1)); bitvec_pack(block, data + 3+1); data[3] = (plen << 2) | 0x01; pcu_tx_data_req(0, 0, PCU_IF_SAPI_PCH, 0, 0, 0, data, 23+3); |