fixeria has submitted this change. ( https://gerrit.osmocom.org/c/osmo-bts/+/42511?usp=email )
Change subject: osmo-bts-trx: check sscanf() result in NOMTXPOWER/SETPOWER handlers ......................................................................
osmo-bts-trx: check sscanf() result in NOMTXPOWER/SETPOWER handlers
Both trx_ctrl_rx_rsp_nomtxpower() and trx_ctrl_rx_rsp_setpower() were calling sscanf() without checking its return value. On a parse failure the local variable remained uninitialized and was passed directly to the callback, resulting in a garbage power level.
Change-Id: I3dc399cfae70c450d53d66bb99f3832f160fca39 --- M src/osmo-bts-trx/trx_if.c 1 file changed, 8 insertions(+), 2 deletions(-)
Approvals: Jenkins Builder: Verified laforge: Looks good to me, but someone else must approve pespin: Looks good to me, approved
diff --git a/src/osmo-bts-trx/trx_if.c b/src/osmo-bts-trx/trx_if.c index 60705fc..56910fd 100644 --- a/src/osmo-bts-trx/trx_if.c +++ b/src/osmo-bts-trx/trx_if.c @@ -581,7 +581,10 @@ "through VTY cmd 'nominal-tx-power'.\n", rsp->status); if (cb) { - sscanf(rsp->params, "%d", &nominal_power); + if (sscanf(rsp->params, "%d", &nominal_power) != 1) { + LOGPPHI(pinst, DTRX, LOGL_ERROR, "Failed to parse NOMTXPOWER response\n"); + return -EINVAL; + } cb(l1h, nominal_power, rsp->status); } return 0; @@ -597,7 +600,10 @@ LOGPPHI(pinst, DTRX, LOGL_ERROR, "transceiver SETPOWER failed with status %d\n", rsp->status); if (cb) { - sscanf(rsp->params, "%d", &power_att); + if (sscanf(rsp->params, "%d", &power_att) != 1) { + LOGPPHI(pinst, DTRX, LOGL_ERROR, "Failed to parse SETPOWER response\n"); + return -EINVAL; + } cb(l1h, power_att, rsp->status); } return 0;