Change in osmo-bsc[master]: abis_nm: fix: properly truncate feature vector reported by BTS

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

fixeria gerrit-no-reply at lists.osmocom.org
Fri May 29 19:48:46 UTC 2020


fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-bsc/+/18597 )


Change subject: abis_nm: fix: properly truncate feature vector reported by BTS
......................................................................

abis_nm: fix: properly truncate feature vector reported by BTS

The value of the feature vector can not only be greater, but also
shorter than size of the buffer! This would potentially result
in a buffer overrun. Let's fix this.

Change-Id: I65e3228022865ea73de2e4821985df3097b9448b
---
M src/osmo-bsc/abis_nm.c
1 file changed, 4 insertions(+), 3 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/97/18597/1

diff --git a/src/osmo-bsc/abis_nm.c b/src/osmo-bsc/abis_nm.c
index f600801..db2879f 100644
--- a/src/osmo-bsc/abis_nm.c
+++ b/src/osmo-bsc/abis_nm.c
@@ -571,8 +571,9 @@
 
 		/* log potential BTS feature vector overflow */
 		if (len > sizeof(bts->_features_data)) {
-			LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: feature vector is truncated to %zu bytes\n",
-			     bts->nr, sizeof(bts->_features_data));
+			LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: feature vector is truncated "
+			     "(from %u to %zu bytes)\n", bts->nr, len, sizeof(bts->_features_data));
+			len = sizeof(bts->_features_data);
 		}
 
 		/* check that max. expected BTS attribute is above given feature vector length */
@@ -583,7 +584,7 @@
 			     bts->nr, len);
 		}
 
-		memcpy(bts->_features_data, TLVP_VAL(tp, NM_ATT_MANUF_ID), sizeof(bts->_features_data));
+		memcpy(bts->_features_data, TLVP_VAL(tp, NM_ATT_MANUF_ID), len);
 
 		for (i = 0; i < _NUM_BTS_FEAT; i++) {
 			if (osmo_bts_has_feature(&bts->features, i) != osmo_bts_has_feature(&bts->model->features, i)) {

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-bsc/+/18597
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Change-Id: I65e3228022865ea73de2e4821985df3097b9448b
Gerrit-Change-Number: 18597
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <axilirator at gmail.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200529/238fd83a/attachment.htm>


More information about the gerrit-log mailing list