This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
laforge gerrit-no-reply at lists.osmocom.orglaforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-bsc/+/21920 ) Change subject: smscb: Avoid scheduler array overflow ...................................................................... smscb: Avoid scheduler array overflow This fixes the following heap overflow in the SMSCB scheduler: ==109051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00003a9a0 at pc 0x55d77e4bedf1 bp 0x7fff8cdc4240 sp 0x7fff8cdc4238 READ of size 8 at 0x60d00003a9a0 thread T0 #0 0x55d77e4bedf0 in bts_smscb_sched_add_before /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/cbch_scheduler.c:64 Change-Id: If529aa905336a1b9e7a36e931c165df0ba9899ad --- M src/osmo-bsc/cbch_scheduler.c 1 file changed, 4 insertions(+), 1 deletion(-) Approvals: laforge: Looks good to me, approved fixeria: Looks good to me, but someone else must approve Jenkins Builder: Verified diff --git a/src/osmo-bsc/cbch_scheduler.c b/src/osmo-bsc/cbch_scheduler.c index 8021804..1bdf5e7 100644 --- a/src/osmo-bsc/cbch_scheduler.c +++ b/src/osmo-bsc/cbch_scheduler.c @@ -60,6 +60,9 @@ OSMO_ASSERT(smscb->num_pages <= ARRAY_SIZE(smscb->page)); OSMO_ASSERT(smscb->num_pages >= 1); + if (last_idx >= sched_arr_size) + return -ERANGE; + for (i = smscb->num_pages - 1; i >= 0; i--) { while (sched_arr[arr_idx]) { arr_idx--; @@ -132,7 +135,7 @@ } last_page = rc; - while (last_page < cstate->sched_arr_size) { + while (last_page + smscb->input.rep_period < cstate->sched_arr_size) { /* store further instances in a way that the last block of the N+1th instance * happens no later than "interval" after the last block of the Nth instance */ rc = bts_smscb_sched_add_before(arr, arr_size, -- To view, visit https://gerrit.osmocom.org/c/osmo-bsc/+/21920 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bsc Gerrit-Branch: master Gerrit-Change-Id: If529aa905336a1b9e7a36e931c165df0ba9899ad Gerrit-Change-Number: 21920 Gerrit-PatchSet: 2 Gerrit-Owner: laforge <laforge at osmocom.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: daniel <dwillmann at sysmocom.de> Gerrit-Reviewer: dexter <pmaier at sysmocom.de> Gerrit-Reviewer: fixeria <vyanitskiy at sysmocom.de> Gerrit-Reviewer: laforge <laforge at osmocom.org> Gerrit-Reviewer: pespin <pespin at sysmocom.de> Gerrit-MessageType: merged -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210103/c696493c/attachment.htm>