fixeria has uploaded this change for review.
osmo-bts-trx: check sscanf() result in NOMTXPOWER/SETPOWER handlers
Both trx_ctrl_rx_rsp_nomtxpower() and trx_ctrl_rx_rsp_setpower() were
calling sscanf() without checking its return value. On a parse failure
the local variable remained uninitialized and was passed directly to the
callback, resulting in a garbage power level.
Change-Id: I3dc399cfae70c450d53d66bb99f3832f160fca39
---
M src/osmo-bts-trx/trx_if.c
1 file changed, 8 insertions(+), 2 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/11/42511/1
diff --git a/src/osmo-bts-trx/trx_if.c b/src/osmo-bts-trx/trx_if.c
index 60705fc..56910fd 100644
--- a/src/osmo-bts-trx/trx_if.c
+++ b/src/osmo-bts-trx/trx_if.c
@@ -581,7 +581,10 @@
"through VTY cmd 'nominal-tx-power'.\n",
rsp->status);
if (cb) {
- sscanf(rsp->params, "%d", &nominal_power);
+ if (sscanf(rsp->params, "%d", &nominal_power) != 1) {
+ LOGPPHI(pinst, DTRX, LOGL_ERROR, "Failed to parse NOMTXPOWER response\n");
+ return -EINVAL;
+ }
cb(l1h, nominal_power, rsp->status);
}
return 0;
@@ -597,7 +600,10 @@
LOGPPHI(pinst, DTRX, LOGL_ERROR, "transceiver SETPOWER failed with status %d\n",
rsp->status);
if (cb) {
- sscanf(rsp->params, "%d", &power_att);
+ if (sscanf(rsp->params, "%d", &power_att) != 1) {
+ LOGPPHI(pinst, DTRX, LOGL_ERROR, "Failed to parse SETPOWER response\n");
+ return -EINVAL;
+ }
cb(l1h, power_att, rsp->status);
}
return 0;
To view, visit change 42511. To unsubscribe, or for help writing mail filters, visit settings.