fixeria has submitted this change. ( https://gerrit.osmocom.org/c/osmo-bts/+/38313?usp=email )

(

2 is the latest approved patch-set. No files were changed between the latest approved patch-set and the submitted one. )Change subject: l1sap: prevent buffer overflow in l1sap_rtp_rx_cb() ......................................................................

l1sap: prevent buffer overflow in l1sap_rtp_rx_cb()

Change-Id: I214070ecf7458202922475505a8747950bedf930 Fixes: d1f8f3429 "l1sap: proper rate adaptation for CSD" --- M src/common/l1sap.c 1 file changed, 9 insertions(+), 1 deletion(-)

Approvals: falconia: Looks good to me, but someone else must approve fixeria: Looks good to me, approved Jenkins Builder: Verified laforge: Looks good to me, but someone else must approve

diff --git a/src/common/l1sap.c b/src/common/l1sap.c index 5a900f8..63be237 100644 --- a/src/common/l1sap.c +++ b/src/common/l1sap.c @@ -2460,7 +2460,9 @@ OSMO_ASSERT(0); }

- msg = l1sap_msgb_alloc(512); +#define L1SAP_MSGB_L2LEN_TCH 512 + + msg = l1sap_msgb_alloc(L1SAP_MSGB_L2LEN_TCH); if (!msg) return;

@@ -2479,6 +2481,12 @@ return; } } else { + if (OSMO_UNLIKELY(rtp_pl_len > L1SAP_MSGB_L2LEN_TCH)) { + LOGPLCHAN(lchan, DL1P, LOGL_ERROR, + "%s(): incoming RTP truncated: %u -> %u\n", + __func__, rtp_pl_len, L1SAP_MSGB_L2LEN_TCH); + rtp_pl_len = L1SAP_MSGB_L2LEN_TCH; /* truncate */ + } memcpy(msgb_put(msg, rtp_pl_len), rtp_pl, rtp_pl_len); }