Change in osmo-bsc[master]: smscb: Avoid scheduler array overflow

[laforge]

laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-bsc/+/21920 )

Change subject: smscb: Avoid scheduler array overflow
......................................................................

smscb: Avoid scheduler array overflow

This fixes the following heap overflow in the SMSCB scheduler:

==109051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00003a9a0 at pc 0x55d77e4bedf1 bp 0x7fff8cdc4240 sp 0x7fff8cdc4238
READ of size 8 at 0x60d00003a9a0 thread T0
    #0 0x55d77e4bedf0 in bts_smscb_sched_add_before /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/cbch_scheduler.c:64

Change-Id: If529aa905336a1b9e7a36e931c165df0ba9899ad
---
M src/osmo-bsc/cbch_scheduler.c
1 file changed, 4 insertions(+), 1 deletion(-)

Approvals:
  laforge: Looks good to me, approved
  fixeria: Looks good to me, but someone else must approve
  Jenkins Builder: Verified



diff --git a/src/osmo-bsc/cbch_scheduler.c b/src/osmo-bsc/cbch_scheduler.c
index 8021804..1bdf5e7 100644
--- a/src/osmo-bsc/cbch_scheduler.c
+++ b/src/osmo-bsc/cbch_scheduler.c
@@ -60,6 +60,9 @@
 	OSMO_ASSERT(smscb->num_pages <= ARRAY_SIZE(smscb->page));
 	OSMO_ASSERT(smscb->num_pages >= 1);
 
+	if (last_idx >= sched_arr_size)
+		return -ERANGE;
+
 	for (i = smscb->num_pages - 1; i >= 0; i--) {
 		while (sched_arr[arr_idx]) {
 			arr_idx--;
@@ -132,7 +135,7 @@
 		}
 		last_page = rc;
 
-		while (last_page < cstate->sched_arr_size) {
+		while (last_page + smscb->input.rep_period < cstate->sched_arr_size) {
 			/* store further instances in a way that the last block of the N+1th instance
 			 * happens no later than "interval" after the last block of the Nth instance */
 			rc = bts_smscb_sched_add_before(arr, arr_size,

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-bsc/+/21920
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Change-Id: If529aa905336a1b9e7a36e931c165df0ba9899ad
Gerrit-Change-Number: 21920
Gerrit-PatchSet: 2
Gerrit-Owner: laforge <laforge at osmocom.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: daniel <dwillmann at sysmocom.de>
Gerrit-Reviewer: dexter <pmaier at sysmocom.de>
Gerrit-Reviewer: fixeria <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210103/c696493c/attachment.htm>