Change in osmocom-bb[master]: prevent heap overflow in tch_fr_disassemble()

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Vadim Yanitskiy gerrit-no-reply at lists.osmocom.org
Tue Jul 24 14:19:38 UTC 2018


Vadim Yanitskiy has posted comments on this change. ( https://gerrit.osmocom.org/10131 )

Change subject: prevent heap overflow in tch_fr_disassemble()
......................................................................


Patch Set 1: Code-Review-1

(1 comment)

https://gerrit.osmocom.org/#/c/10131/1/src/host/trxcon/sched_prim.c
File src/host/trxcon/sched_prim.c:

https://gerrit.osmocom.org/#/c/10131/1/src/host/trxcon/sched_prim.c@71
PS1, Line 71: 	len += pl_len < GSM_BURST_PL_LEN ? GSM_BURST_PL_LEN : pl_len; /* Requested payload size */
Oh, no. This is definitely wrong, sorry...

GSM_BURST_PL_LEN defines the *length of a normal burst's payload*
in bits (Layer 1, coding), while here we allocate the memory for
a L2 frame...



-- 
To view, visit https://gerrit.osmocom.org/10131
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmocom-bb
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I3ae3a1a14d131de256b48d645130df737e9b5f26
Gerrit-Change-Number: 10131
Gerrit-PatchSet: 1
Gerrit-Owner: Stefan Sperling <ssperling at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Vadim Yanitskiy <axilirator at gmail.com>
Gerrit-Comment-Date: Tue, 24 Jul 2018 14:19:38 +0000
Gerrit-HasComments: Yes
Gerrit-HasLabels: Yes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180724/4b8b5d54/attachment.htm>


More information about the gerrit-log mailing list