fixeria submitted this change.

View Change

Approvals: Jenkins Builder: Verified laforge: Looks good to me, but someone else must approve pespin: Looks good to me, approved 
osmo-bts-trx: check sscanf() result in NOMTXPOWER/SETPOWER handlers

Both trx_ctrl_rx_rsp_nomtxpower() and trx_ctrl_rx_rsp_setpower() were
calling sscanf() without checking its return value.  On a parse failure
the local variable remained uninitialized and was passed directly to the
callback, resulting in a garbage power level.

Change-Id: I3dc399cfae70c450d53d66bb99f3832f160fca39
---
M src/osmo-bts-trx/trx_if.c
1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/osmo-bts-trx/trx_if.c b/src/osmo-bts-trx/trx_if.c
index 60705fc..56910fd 100644
--- a/src/osmo-bts-trx/trx_if.c
+++ b/src/osmo-bts-trx/trx_if.c
@@ -581,7 +581,10 @@
 			"through VTY cmd 'nominal-tx-power'.\n",
 			rsp->status);
 	if (cb) {
-		sscanf(rsp->params, "%d", &nominal_power);
+		if (sscanf(rsp->params, "%d", &nominal_power) != 1) {
+			LOGPPHI(pinst, DTRX, LOGL_ERROR, "Failed to parse NOMTXPOWER response\n");
+			return -EINVAL;
+		}
 		cb(l1h, nominal_power, rsp->status);
 	}
 	return 0;
@@ -597,7 +600,10 @@
 		LOGPPHI(pinst, DTRX, LOGL_ERROR, "transceiver SETPOWER failed with status %d\n",
 			rsp->status);
 	if (cb) {
-		sscanf(rsp->params, "%d", &power_att);
+		if (sscanf(rsp->params, "%d", &power_att) != 1) {
+			LOGPPHI(pinst, DTRX, LOGL_ERROR, "Failed to parse SETPOWER response\n");
+			return -EINVAL;
+		}
 		cb(l1h, power_att, rsp->status);
 	}
 	return 0;

To view, visit change 42511. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: merged
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Change-Id: I3dc399cfae70c450d53d66bb99f3832f160fca39
Gerrit-Change-Number: 42511
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: laforge <laforge@osmocom.org>
Gerrit-Reviewer: pespin <pespin@sysmocom.de>