[PATCH] osmo-bts[master]: trx: Avoid NULL+1 dereference in trx_ctrl_read_cb()

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Sun Nov 5 18:04:51 UTC 2017


Review at  https://gerrit.osmocom.org/4685

trx: Avoid NULL+1 dereference in trx_ctrl_read_cb()

We unconditionally pass "p+1" into sscanf() despite not knowing
if 'p' is NULL or not.

Change-Id: I40a49c3feb3b55ef577eebd7d567afdbcfe0d624
Fixes: Coverity CID#178661
---
M src/osmo-bts-trx/trx_if.c
1 file changed, 3 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/85/4685/1

diff --git a/src/osmo-bts-trx/trx_if.c b/src/osmo-bts-trx/trx_if.c
index 5d8f6c4..1332854 100644
--- a/src/osmo-bts-trx/trx_if.c
+++ b/src/osmo-bts-trx/trx_if.c
@@ -397,7 +397,9 @@
 			goto notmatch;
 
 		/* check for response code */
-		sscanf(p + 1, "%d", &resp);
+		resp = 0;
+		if (p)
+			sscanf(p + 1, "%d", &resp);
 		if (resp) {
 			LOGP(DTRX, (tcm->critical) ? LOGL_FATAL : LOGL_NOTICE,
 				"transceiver (%s) rejected TRX command "

-- 
To view, visit https://gerrit.osmocom.org/4685
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I40a49c3feb3b55ef577eebd7d567afdbcfe0d624
Gerrit-PatchSet: 1
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <laforge at gnumonks.org>



More information about the gerrit-log mailing list