This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.
Daniel Willmann daniel at totalueberwachung.deAddress sanitizer complains with a buffer overflow to the end of gsm_fr_map: ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000044f76c at pc 0x43c0dd bp 0x7fff18389db0 sp 0x7fff18389da8 READ of size 1 at 0x00000044f76c thread T0 #0 0x43c0dc in trau_encode_fr /home/alphaone/scm/osmo/openbsc/openbsc/src/libtrau/trau_mux.c:441 #1 0x42fad6 in test_trau_fr_efr /home/alphaone/scm/osmo/openbsc/openbsc/tests/trau/trau_test.c:35 #2 0x4308f4 in main /home/alphaone/scm/osmo/openbsc/openbsc/tests/trau/trau_test.c:70 #3 0x7f96e8cf04bc (/lib64/libc.so.6+0x224bc) #4 0x42f7ec (/home/alphaone/scm/osmo/openbsc/openbsc/tests/trau/trau_test+0x42f7ec) 0x00000044f76c is located 52 bytes to the left of global variable 'c_bits_check_fr' from 'trau_mux.c' (0x44f7a0) of size 5 0x00000044f76c is located 0 bytes to the right of global variable 'gsm_fr_map' from 'trau_mux.c' (0x44f720) of size 76 SUMMARY: AddressSanitizer: global-buffer-overflow /home/alphaone/scm/osmo/openbsc/openbsc/src/libtrau/trau_mux.c:441 trau_encode_fr In the last iteration of the loop k is already set to the next element in gsm_fr_map which leads to an out-of-bounds read. Instead decrement k at the end of the loop and put the check before the data assignment. This is functionally equivalent as k is never < 0 initially. This happens in trau_decode_fr as well. --- openbsc/src/libtrau/trau_mux.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/openbsc/src/libtrau/trau_mux.c b/openbsc/src/libtrau/trau_mux.c index 4f159e4..9b93eda 100644 --- a/openbsc/src/libtrau/trau_mux.c +++ b/openbsc/src/libtrau/trau_mux.c @@ -234,13 +234,14 @@ struct msgb *trau_decode_fr(uint32_t callref, l = 0; /* counts element bits */ o = 0; /* offset input bits */ while (i < 260) { - data[j/8] |= (tf->d_bits[k+o] << (7-(j%8))); - if (--k < 0) { + if (k < 0) { o += gsm_fr_map[l]; k = gsm_fr_map[++l]-1; } + data[j/8] |= (tf->d_bits[k+o] << (7-(j%8))); i++; j++; + k--; } frame->msg_type = GSM_TCHF_FRAME; frame->callref = callref; @@ -435,16 +436,14 @@ void trau_encode_fr(struct decoded_trau_frame *tf, l = 0; /* counts element bits */ o = 0; /* offset output bits */ while (i < 260) { - tf->d_bits[k+o] = (data[j/8] >> (7-(j%8))) & 1; - /* to avoid out-of-bounds access in gsm_fr_map[++l] */ - if (i == 259) - break; - if (--k < 0) { + if (k < 0) { o += gsm_fr_map[l]; k = gsm_fr_map[++l]-1; } + tf->d_bits[k+o] = (data[j/8] >> (7-(j%8))) & 1; i++; j++; + k--; } } -- 1.8.4.2