Change in osmo-pcu[master]: fix a one-byte stack buffer overrun in osmo-pcu

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Fri May 25 17:30:06 UTC 2018 

Harald Welte has submitted this change and it was merged. ( https://gerrit.osmocom.org/9301 )

Change subject: fix a one-byte stack buffer overrun in osmo-pcu
......................................................................

fix a one-byte stack buffer overrun in osmo-pcu

Address sanitizer uncovered a one-byte stack overrun due to an
off-by-one in the size of the 'data' buffer in pcu_l1if_tx_pch().
Fix the problem and add an assertion which triggers before the
overrun can occur.

Change-Id: I08a879d72fcb916f78f175612fd90467d7bdd57c
Related: OS#3289
---
M src/pcu_l1_if.cpp
1 file changed, 2 insertions(+), 1 deletion(-)

Approvals:
  Jenkins Builder: Verified
  Pau Espin Pedrol: Looks good to me, but someone else must approve
  Harald Welte: Looks good to me, approved



diff --git a/src/pcu_l1_if.cpp b/src/pcu_l1_if.cpp
index 4b54707..27e86dd 100644
--- a/src/pcu_l1_if.cpp
+++ b/src/pcu_l1_if.cpp
@@ -217,7 +217,7 @@
 
 void pcu_l1if_tx_pch(bitvec * block, int plen, const char *imsi)
 {
-	uint8_t data[23+3]; /* prefix PLEN */
+	uint8_t data[3+1+23]; /* prefix PLEN */
 
 	/* paging group */
 	if (!imsi || strlen(imsi) < 3)
@@ -227,6 +227,7 @@
 	data[1] = imsi[1];
 	data[2] = imsi[2];
 
+	OSMO_ASSERT(block->data_len <= sizeof(data) - (3+1));
 	bitvec_pack(block, data + 3+1);
 	data[3] = (plen << 2) | 0x01;
 	pcu_tx_data_req(0, 0, PCU_IF_SAPI_PCH, 0, 0, 0, data, 23+3);

-- 
To view, visit https://gerrit.osmocom.org/9301
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-pcu
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I08a879d72fcb916f78f175612fd90467d7bdd57c
Gerrit-Change-Number: 9301
Gerrit-PatchSet: 2
Gerrit-Owner: Stefan Sperling <ssperling at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Pau Espin Pedrol <pespin at sysmocom.de>
Gerrit-Reviewer: Stefan Sperling <ssperling at sysmocom.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180525/21f8588c/attachment.htm>

More information about the gerrit-log mailing list