This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Stefan Sperling gerrit-no-reply at lists.osmocom.orgStefan Sperling has uploaded this change for review. ( https://gerrit.osmocom.org/10131 Change subject: prevent heap overflow in tch_fr_disassemble() ...................................................................... prevent heap overflow in tch_fr_disassemble() Ensure that sched_prim_init() allocates at least GSM_BURST_PL_LEN bytes of payload buffer. An incomplete packet received could lead to short buffer allocation and cause a crash in libosmocore. Change-Id: I3ae3a1a14d131de256b48d645130df737e9b5f26 Related: OS#3415 --- M src/host/trxcon/sched_prim.c 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/osmocom-bb refs/changes/31/10131/1 diff --git a/src/host/trxcon/sched_prim.c b/src/host/trxcon/sched_prim.c index 2ee06d7..169a906 100644 --- a/src/host/trxcon/sched_prim.c +++ b/src/host/trxcon/sched_prim.c @@ -68,7 +68,7 @@ /* How much memory do we need? */ len = sizeof(struct trx_ts_prim); /* Primitive header */ - len += pl_len; /* Requested payload size */ + len += pl_len < GSM_BURST_PL_LEN ? GSM_BURST_PL_LEN : pl_len; /* Requested payload size */ /* Allocate a new primitive */ new_prim = talloc_zero_size(trx, len); -- To view, visit https://gerrit.osmocom.org/10131 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmocom-bb Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I3ae3a1a14d131de256b48d645130df737e9b5f26 Gerrit-Change-Number: 10131 Gerrit-PatchSet: 1 Gerrit-Owner: Stefan Sperling <ssperling at sysmocom.de> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180724/099dc204/attachment.htm>