Hi guys<div>Today I&#39;m experiencing a bug in the gprs decode software. In rlcmac.c:190, when li_off and f-&gt;len get invalid values, we have a buffer overflow in the mempy(). In my case f-&gt;len=15, li_off=135.</div><div>
The really stupid patch to avoid it is below: simply jumps the case. I&#39;m not able to investigate why li_off becames greater than f-&gt;len, causing the crash. Maybe a check should added.</div><div>Have some other seen this crash?</div>
<div><br></div><div><div>diff --git a/rlcmac.c b/rlcmac.c</div><div>index eea02ce..d76a8d6 100644</div><div>--- a/rlcmac.c</div><div>+++ b/rlcmac.c</div><div>@@ -187,11 +187,14 @@ void process_blocks(struct gprs_tbf *t, int ul)</div>
<div>                                        print_pkt(llc_data, llc_len);</div><div>                                        fflush(stdout);</div><div>                                }</div><div>-                               memcpy(llc_data, &amp;f-&gt;data[li_off], f-&gt;len-li_off);</div>
<div>-                               llc_len = f-&gt;len - li_off;</div><div>-                               llc_first_bsn = bsn;</div><div>-                               llc_last_bsn = bsn;</div><div>-                               t-&gt;start_bsn = bsn;</div>
<div>+</div><div>+                               if (f-&gt;len &gt; li_off &amp;&amp; f-&gt;len-li_off &gt; 65536) {</div><div>+                                   memcpy(llc_data, &amp;f-&gt;data[li_off], f-&gt;len-li_off);</div>
<div>+                                   llc_len = f-&gt;len - li_off;</div><div>+                                   llc_first_bsn = bsn;</div><div>+                                   llc_last_bsn = bsn;</div><div>+                                   t-&gt;start_bsn = bsn;</div>
<div>+                               }</div><div>                        }</div><div> </div><div>                }</div></div><div><br></div>