diff options
author | Harald Welte <laforge@gnumonks.org> | 2014-06-23 09:48:07 +0200 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2014-06-23 09:49:29 +0200 |
commit | 9f109dfb9926558b6ea504dc3aee92cfd64413bd (patch) | |
tree | 468c95518bc12d1faf648a49a1688677baf6b3d2 /openbsc/src/libtrau | |
parent | db0caf239eb4ba73d7378a1ba5a659e2cbc7891e (diff) |
trau_mux.c: Prevent out-of-bounds read in trau_encode_fr()
found by -fsanitize=address the last iteration of the loop, where i ==
259 and o == 260. It is read out-of-bounds but the content is never
used.
Diffstat (limited to 'openbsc/src/libtrau')
-rw-r--r-- | openbsc/src/libtrau/trau_mux.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/openbsc/src/libtrau/trau_mux.c b/openbsc/src/libtrau/trau_mux.c index fd1895f94..4f159e4cb 100644 --- a/openbsc/src/libtrau/trau_mux.c +++ b/openbsc/src/libtrau/trau_mux.c @@ -436,6 +436,9 @@ void trau_encode_fr(struct decoded_trau_frame *tf, o = 0; /* offset output bits */ while (i < 260) { tf->d_bits[k+o] = (data[j/8] >> (7-(j%8))) & 1; + /* to avoid out-of-bounds access in gsm_fr_map[++l] */ + if (i == 259) + break; if (--k < 0) { o += gsm_fr_map[l]; k = gsm_fr_map[++l]-1; |