This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Stefan Sperling gerrit-no-reply at lists.osmocom.orgStefan Sperling has uploaded this change for review. ( https://gerrit.osmocom.org/9301 Change subject: fix a one-byte stack buffer overrun in osmo-pcu ...................................................................... fix a one-byte stack buffer overrun in osmo-pcu Address sanitizer uncovered a one-byte stack overrun due to an off-by-one in the size of the 'data' buffer in pcu_l1if_tx_pch(). Fix the problem and add an assertion which triggers before the overrun can occur. Change-Id: I08a879d72fcb916f78f175612fd90467d7bdd57c Related: OS#3289 --- M src/pcu_l1_if.cpp 1 file changed, 2 insertions(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/osmo-pcu refs/changes/01/9301/1 diff --git a/src/pcu_l1_if.cpp b/src/pcu_l1_if.cpp index 4b54707..02d1323 100644 --- a/src/pcu_l1_if.cpp +++ b/src/pcu_l1_if.cpp @@ -217,7 +217,7 @@ void pcu_l1if_tx_pch(bitvec * block, int plen, const char *imsi) { - uint8_t data[23+3]; /* prefix PLEN */ + uint8_t data[23+3+1]; /* prefix PLEN */ /* paging group */ if (!imsi || strlen(imsi) < 3) @@ -227,6 +227,7 @@ data[1] = imsi[1]; data[2] = imsi[2]; + OSMO_ASSERT(block->data_len <= sizeof(data) - (3+1)); bitvec_pack(block, data + 3+1); data[3] = (plen << 2) | 0x01; pcu_tx_data_req(0, 0, PCU_IF_SAPI_PCH, 0, 0, 0, data, 23+3); -- To view, visit https://gerrit.osmocom.org/9301 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-pcu Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I08a879d72fcb916f78f175612fd90467d7bdd57c Gerrit-Change-Number: 9301 Gerrit-PatchSet: 1 Gerrit-Owner: Stefan Sperling <ssperling at sysmocom.de> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180525/cb3261da/attachment.htm>