fixeria has uploaded this change for review.

View Change

l1sap: prevent buffer overflow in l1sap_rtp_rx_cb()

Change-Id: I214070ecf7458202922475505a8747950bedf930
---
M src/common/l1sap.c
1 file changed, 9 insertions(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/13/38313/1
diff --git a/src/common/l1sap.c b/src/common/l1sap.c
index a8f2a04..83dacbd 100644
--- a/src/common/l1sap.c
+++ b/src/common/l1sap.c
@@ -2485,9 +2485,17 @@
 		OSMO_ASSERT(0);
 	}
 
-	msg = l1sap_msgb_alloc(512);
+#define L1SAP_MSGB_L2LEN_TCH 512
+
+	msg = l1sap_msgb_alloc(L1SAP_MSGB_L2LEN_TCH);
 	if (!msg)
 		return;
+	if (OSMO_UNLIKELY(rtp_pl_len > L1SAP_MSGB_L2LEN_TCH)) {
+		LOGPLCHAN(lchan, DL1P, LOGL_ERROR,
+			  "%s(): incoming RTP truncated: %u -> %u\n",
+			  __func__, rtp_pl_len, L1SAP_MSGB_L2LEN_TCH);
+		rtp_pl_len = L1SAP_MSGB_L2LEN_TCH; /* truncate */
+	}
 	memcpy(msgb_put(msg, rtp_pl_len), rtp_pl, rtp_pl_len);
 
 	msgb_pull(msg, sizeof(struct osmo_phsap_prim));

To view, visit change 38313. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: newchange
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Change-Id: I214070ecf7458202922475505a8747950bedf930
Gerrit-Change-Number: 38313
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanitskiy@sysmocom.de>