fixeria has submitted this change. ( https://gerrit.osmocom.org/c/osmo-bts/+/38313?usp=email ) ( 2 is the latest approved patch-set. No files were changed between the latest approved patch-set and the submitted one. )Change subject: l1sap: prevent buffer overflow in l1sap_rtp_rx_cb() ...................................................................... l1sap: prevent buffer overflow in l1sap_rtp_rx_cb() Change-Id: I214070ecf7458202922475505a8747950bedf930 Fixes: d1f8f3429 "l1sap: proper rate adaptation for CSD" --- M src/common/l1sap.c 1 file changed, 9 insertions(+), 1 deletion(-) Approvals: falconia: Looks good to me, but someone else must approve fixeria: Looks good to me, approved Jenkins Builder: Verified laforge: Looks good to me, but someone else must approve diff --git a/src/common/l1sap.c b/src/common/l1sap.c index 5a900f8..63be237 100644 --- a/src/common/l1sap.c +++ b/src/common/l1sap.c @@ -2460,7 +2460,9 @@ OSMO_ASSERT(0); } - msg = l1sap_msgb_alloc(512); +#define L1SAP_MSGB_L2LEN_TCH 512 + + msg = l1sap_msgb_alloc(L1SAP_MSGB_L2LEN_TCH); if (!msg) return; @@ -2479,6 +2481,12 @@ return; } } else { + if (OSMO_UNLIKELY(rtp_pl_len > L1SAP_MSGB_L2LEN_TCH)) { + LOGPLCHAN(lchan, DL1P, LOGL_ERROR, + "%s(): incoming RTP truncated: %u -> %u\n", + __func__, rtp_pl_len, L1SAP_MSGB_L2LEN_TCH); + rtp_pl_len = L1SAP_MSGB_L2LEN_TCH; /* truncate */ + } memcpy(msgb_put(msg, rtp_pl_len), rtp_pl, rtp_pl_len); } -- To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/38313?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Change-Id: I214070ecf7458202922475505a8747950bedf930 Gerrit-Change-Number: 38313 Gerrit-PatchSet: 3 Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: falconia <falcon(a)freecalypso.org> Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org>