dexter submitted this change.

View Change

Approvals: Jenkins Builder: Verified fixeria: Looks good to me, approved 
pcu_l1_if: ignore frame numbers that exceed the valid range

osmo-bsc may send invalid frame numbers through the pcu-sock interface.
Lets make sure that incoming frame numbers do not exceed the valid
range.

Change-Id: Ib0cf1738be07733c95fc6c459a8a7c4cb2eeef26
Related: OS#5198
---
M src/pcu_l1_if.cpp
1 file changed, 7 insertions(+), 0 deletions(-)

diff --git a/src/pcu_l1_if.cpp b/src/pcu_l1_if.cpp
index 15ae94f..69629db 100644
--- a/src/pcu_l1_if.cpp
+++ b/src/pcu_l1_if.cpp
@@ -40,6 +40,7 @@
 #include <osmocom/gsm/protocol/gsm_04_08.h>
 #include <osmocom/gsm/gsm48_rest_octets.h>
 #include <osmocom/gsm/sysinfo.h>
+#include <osmocom/gsm/gsm0502.h>
 
 #include <nacc_fsm.h>
 }
@@ -623,6 +624,12 @@
 		"qta=%d, ra=0x%02x, fn=%u, cur_fn=%d, is_11bit=%d\n", rach_ind->sapi, rach_ind->qta,
 		rach_ind->ra, rach_ind->fn, current_fn, rach_ind->is_11bit);
 
+	if (OSMO_UNLIKELY(rach_ind->fn > GSM_TDMA_HYPERFRAME - 1)) {
+		LOGP(DL1IF, LOGL_ERROR, "RACH request contains fn=%u that exceeds valid limits (0-%u) -- ignored!\n",
+		     rach_ind->fn,  GSM_TDMA_HYPERFRAME - 1);
+			return -EINVAL;
+	}
+
 	struct rach_ind_params rip = {
 		.burst_type = (enum ph_burst_type) rach_ind->burst_type,
 		.is_11bit = rach_ind->is_11bit > 0,

7 is the latest approved patch-set. No files were changed between the latest approved patch-set and the submitted one.

To view, visit change 31023. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: osmo-pcu
Gerrit-Branch: master
Gerrit-Change-Id: Ib0cf1738be07733c95fc6c459a8a7c4cb2eeef26
Gerrit-Change-Number: 31023
Gerrit-PatchSet: 8
Gerrit-Owner: dexter <pmaier@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: dexter <pmaier@sysmocom.de>
Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: laforge <laforge@osmocom.org>
Gerrit-Reviewer: pespin <pespin@sysmocom.de>
Gerrit-MessageType: merged