Change in osmo-pcu[master]: fix a one-byte stack buffer overrun in osmo-pcu

historical

Stefan Sperling has uploaded this change for review. ( https://gerrit.osmocom.org/9301


Change subject: fix a one-byte stack buffer overrun in osmo-pcu
......................................................................

fix a one-byte stack buffer overrun in osmo-pcu

Address sanitizer uncovered a one-byte stack overrun due to an
off-by-one in the size of the 'data' buffer in pcu_l1if_tx_pch().
Fix the problem and add an assertion which triggers before the
overrun can occur.

Change-Id: I08a879d72fcb916f78f175612fd90467d7bdd57c
Related: OS#3289
---
M src/pcu_l1_if.cpp
1 file changed, 2 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-pcu refs/changes/01/9301/1

diff --git a/src/pcu_l1_if.cpp b/src/pcu_l1_if.cpp
index 4b54707..02d1323 100644
--- a/src/pcu_l1_if.cpp
+++ b/src/pcu_l1_if.cpp
@@ -217,7 +217,7 @@
 
 void pcu_l1if_tx_pch(bitvec * block, int plen, const char *imsi)
 {
-	uint8_t data[23+3]; /* prefix PLEN */
+	uint8_t data[23+3+1]; /* prefix PLEN */
 
 	/* paging group */
 	if (!imsi || strlen(imsi) < 3)
@@ -227,6 +227,7 @@
 	data[1] = imsi[1];
 	data[2] = imsi[2];
 
+	OSMO_ASSERT(block->data_len <= sizeof(data) - (3+1));
 	bitvec_pack(block, data + 3+1);
 	data[3] = (plen << 2) | 0x01;
 	pcu_tx_data_req(0, 0, PCU_IF_SAPI_PCH, 0, 0, 0, data, 23+3);

-- 
To view, visit https://gerrit.osmocom.org/9301
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-pcu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I08a879d72fcb916f78f175612fd90467d7bdd57c
Gerrit-Change-Number: 9301
Gerrit-PatchSet: 1
Gerrit-Owner: Stefan Sperling <ssperling at sysmocom.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180525/cb3261da/attachment.htm>
