<p>laforge <strong>submitted</strong> this change.</p><p><a href="https://gerrit.osmocom.org/c/osmo-bsc/+/21920">View Change</a></p><div style="white-space:pre-wrap">Approvals:
laforge: Looks good to me, approved
fixeria: Looks good to me, but someone else must approve
Jenkins Builder: Verified
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">smscb: Avoid scheduler array overflow<br><br>This fixes the following heap overflow in the SMSCB scheduler:<br><br>==109051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00003a9a0 at pc 0x55d77e4bedf1 bp 0x7fff8cdc4240 sp 0x7fff8cdc4238<br>READ of size 8 at 0x60d00003a9a0 thread T0<br> #0 0x55d77e4bedf0 in bts_smscb_sched_add_before /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/cbch_scheduler.c:64<br><br>Change-Id: If529aa905336a1b9e7a36e931c165df0ba9899ad<br>---<br>M src/osmo-bsc/cbch_scheduler.c<br>1 file changed, 4 insertions(+), 1 deletion(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/osmo-bsc/cbch_scheduler.c b/src/osmo-bsc/cbch_scheduler.c</span><br><span>index 8021804..1bdf5e7 100644</span><br><span>--- a/src/osmo-bsc/cbch_scheduler.c</span><br><span>+++ b/src/osmo-bsc/cbch_scheduler.c</span><br><span>@@ -60,6 +60,9 @@</span><br><span> OSMO_ASSERT(smscb->num_pages <= ARRAY_SIZE(smscb->page));</span><br><span> OSMO_ASSERT(smscb->num_pages >= 1);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (last_idx >= sched_arr_size)</span><br><span style="color: hsl(120, 100%, 40%);">+ return -ERANGE;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> for (i = smscb->num_pages - 1; i >= 0; i--) {</span><br><span> while (sched_arr[arr_idx]) {</span><br><span> arr_idx--;</span><br><span>@@ -132,7 +135,7 @@</span><br><span> }</span><br><span> last_page = rc;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- while (last_page < cstate->sched_arr_size) {</span><br><span style="color: hsl(120, 100%, 40%);">+ while (last_page + smscb->input.rep_period < cstate->sched_arr_size) {</span><br><span> /* store further instances in a way that the last block of the N+1th instance</span><br><span> * happens no later than "interval" after the last block of the Nth instance */</span><br><span> rc = bts_smscb_sched_add_before(arr, arr_size,</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-bsc/+/21920">change 21920</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-bsc/+/21920"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-bsc </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: If529aa905336a1b9e7a36e931c165df0ba9899ad </div>
<div style="display:none"> Gerrit-Change-Number: 21920 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: laforge <laforge@osmocom.org> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: daniel <dwillmann@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: dexter <pmaier@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: laforge <laforge@osmocom.org> </div>
<div style="display:none"> Gerrit-Reviewer: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>