This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Vadim Yanitskiy gerrit-no-reply at lists.osmocom.orgVadim Yanitskiy has submitted this change. ( https://gerrit.osmocom.org/c/osmo-bsc/+/18597 )
Change subject: abis_nm: fix: properly truncate feature vector reported by BTS
......................................................................
abis_nm: fix: properly truncate feature vector reported by BTS
The value of the feature vector can not only be greater, but also
shorter than size of the buffer! This would potentially result
in a buffer overrun. Let's fix this.
Change-Id: I65e3228022865ea73de2e4821985df3097b9448b
---
M src/osmo-bsc/abis_nm.c
1 file changed, 4 insertions(+), 3 deletions(-)
Approvals:
laforge: Looks good to me, approved
Jenkins Builder: Verified
diff --git a/src/osmo-bsc/abis_nm.c b/src/osmo-bsc/abis_nm.c
index f600801..db2879f 100644
--- a/src/osmo-bsc/abis_nm.c
+++ b/src/osmo-bsc/abis_nm.c
@@ -571,8 +571,9 @@
/* log potential BTS feature vector overflow */
if (len > sizeof(bts->_features_data)) {
- LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: feature vector is truncated to %zu bytes\n",
- bts->nr, sizeof(bts->_features_data));
+ LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: feature vector is truncated "
+ "(from %u to %zu bytes)\n", bts->nr, len, sizeof(bts->_features_data));
+ len = sizeof(bts->_features_data);
}
/* check that max. expected BTS attribute is above given feature vector length */
@@ -583,7 +584,7 @@
bts->nr, len);
}
- memcpy(bts->_features_data, TLVP_VAL(tp, NM_ATT_MANUF_ID), sizeof(bts->_features_data));
+ memcpy(bts->_features_data, TLVP_VAL(tp, NM_ATT_MANUF_ID), len);
for (i = 0; i < _NUM_BTS_FEAT; i++) {
if (osmo_bts_has_feature(&bts->features, i) != osmo_bts_has_feature(&bts->model->features, i)) {
--
To view, visit https://gerrit.osmocom.org/c/osmo-bsc/+/18597
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Change-Id: I65e3228022865ea73de2e4821985df3097b9448b
Gerrit-Change-Number: 18597
Gerrit-PatchSet: 3
Gerrit-Owner: Vadim Yanitskiy <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Vadim Yanitskiy <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: neels <nhofmeyr at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200603/d99bfde4/attachment.htm>