This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
fixeria gerrit-no-reply at lists.osmocom.orgfixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-bsc/+/19962 )
Change subject: SI Type 4: prevent potential buffer overflow
......................................................................
SI Type 4: prevent potential buffer overflow
Make sure that in generate_si4() we do not corrupt other SI buffers
by limiting maximum length of the Mobile Allocation to 2 octets.
This would preserve at least 2 octets for the Rest Octets, what
should be enough to encode at least GPRS Indicator.
Change-Id: I2e3553865096faecda6bb22fc25b83fd47b738c4
Related: SYS#4868, OS#4545
---
M src/osmo-bsc/system_information.c
1 file changed, 3 insertions(+), 0 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/62/19962/1
diff --git a/src/osmo-bsc/system_information.c b/src/osmo-bsc/system_information.c
index 2418e32..b969989 100644
--- a/src/osmo-bsc/system_information.c
+++ b/src/osmo-bsc/system_information.c
@@ -974,6 +974,9 @@
/* 10.5.2.21 (TLV) CBCH Mobile Allocation IE */
if (ts->hopping.enabled) {
+ /* Prevent potential buffer overflow */
+ if (ts->hopping.ma_len > 2)
+ return -ENOMEM;
tail = tlv_put(tail, GSM48_IE_CBCH_MOB_AL,
ts->hopping.ma_len,
ts->hopping.ma_data);
--
To view, visit https://gerrit.osmocom.org/c/osmo-bsc/+/19962
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Change-Id: I2e3553865096faecda6bb22fc25b83fd47b738c4
Gerrit-Change-Number: 19962
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanitskiy at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200903/40017491/attachment.htm>