This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
laforge gerrit-no-reply at lists.osmocom.orglaforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/19131 ) Change subject: subchan_demux: Fix out-of-bounds write ...................................................................... subchan_demux: Fix out-of-bounds write We cannot blindly append two ubits to the 320-ubit sized buffer. In the end, we may already fill the buffer after the first ubit, causing a buffer overflow with the second ubit. Lets check if the buffer is full after every bit. Avoid copy+pasting but move the code repeated per bit to a new function. Change-Id: I58d946265372278051e4f29301d4f201ab98c0fc Closes: OS#4648 --- M src/subchan_demux.c 1 file changed, 25 insertions(+), 23 deletions(-) Approvals: Jenkins Builder: Verified laforge: Looks good to me, approved diff --git a/src/subchan_demux.c b/src/subchan_demux.c index 55503db..a3a44d9 100644 --- a/src/subchan_demux.c +++ b/src/subchan_demux.c @@ -92,6 +92,29 @@ return 0; } +static void append_bit_resync_out(struct subch_demux *dmx, int c, ubit_t bit) +{ + struct demux_subch *sch = &dmx->subch[c]; + append_bit(sch, bit); + + if (sync_hdr_complete(sch, bit)) + resync_to_here(sch); + + /* FIXME: verify the first bit in octet 2, 4, 6, ... + * according to TS 08.60 4.8.1 */ + + /* once we have reached TRAU_FRAME_BITS, call + * the TRAU frame handler callback function */ + if (sch->out_idx >= TRAU_FRAME_BITS) { + if (sch->in_sync) { + dmx->out_cb(dmx, c, sch->out_bitbuf, + sch->out_idx, dmx->data); + sch->in_sync = 0; + } + sch->out_idx = 0; + } +} + /*! \brief Input some data from the 64k full-slot into subchannel demux * \param[in] dmx subchannel demuxer * \param[in] data pointer to buffer containing input data @@ -108,7 +131,6 @@ uint8_t inbyte = data[i]; for (c = 0; c < NR_SUBCH; c++) { - struct demux_subch *sch = &dmx->subch[c]; uint8_t inbits; uint8_t bit; @@ -123,33 +145,13 @@ bit = 1; else bit = 0; - append_bit(sch, bit); - - if (sync_hdr_complete(sch, bit)) - resync_to_here(sch); + append_bit_resync_out(dmx, c, bit); if (inbits & 0x02) bit = 1; else bit = 0; - append_bit(sch, bit); - - if (sync_hdr_complete(sch, bit)) - resync_to_here(sch); - - /* FIXME: verify the first bit in octet 2, 4, 6, ... - * according to TS 08.60 4.8.1 */ - - /* once we have reached TRAU_FRAME_BITS, call - * the TRAU frame handler callback function */ - if (sch->out_idx >= TRAU_FRAME_BITS) { - if (sch->in_sync) { - dmx->out_cb(dmx, c, sch->out_bitbuf, - sch->out_idx, dmx->data); - sch->in_sync = 0; - } - sch->out_idx = 0; - } + append_bit_resync_out(dmx, c, bit); } } return i; -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/19131 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: master Gerrit-Change-Id: I58d946265372278051e4f29301d4f201ab98c0fc Gerrit-Change-Number: 19131 Gerrit-PatchSet: 2 Gerrit-Owner: laforge <laforge at osmocom.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge at osmocom.org> Gerrit-MessageType: merged -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200704/285d25f1/attachment.htm>