Change in osmocom-bb[master]: prevent heap overflow in tch_fr_disassemble()

Stefan Sperling Tue, 24 Jul 2018 06:50:19 -0700

Stefan Sperling has uploaded this change for review. ( 
https://gerrit.osmocom.org/10131



Change subject: prevent heap overflow in tch_fr_disassemble()
......................................................................

prevent heap overflow in tch_fr_disassemble()

Ensure that sched_prim_init() allocates at least GSM_BURST_PL_LEN
bytes of payload buffer. An incomplete packet received could lead
to short buffer allocation and cause a crash in libosmocore.

Change-Id: I3ae3a1a14d131de256b48d645130df737e9b5f26
Related: OS#3415
---
M src/host/trxcon/sched_prim.c
1 file changed, 1 insertion(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/osmocom-bb refs/changes/31/10131/1

diff --git a/src/host/trxcon/sched_prim.c b/src/host/trxcon/sched_prim.c
index 2ee06d7..169a906 100644
--- a/src/host/trxcon/sched_prim.c
+++ b/src/host/trxcon/sched_prim.c
@@ -68,7 +68,7 @@

        /* How much memory do we need? */
        len  = sizeof(struct trx_ts_prim); /* Primitive header */
-       len += pl_len; /* Requested payload size */
+       len += pl_len < GSM_BURST_PL_LEN ? GSM_BURST_PL_LEN : pl_len; /* 
Requested payload size */

        /* Allocate a new primitive */
        new_prim = talloc_zero_size(trx, len);

--
To view, visit https://gerrit.osmocom.org/10131
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: osmocom-bb
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3ae3a1a14d131de256b48d645130df737e9b5f26
Gerrit-Change-Number: 10131
Gerrit-PatchSet: 1
Gerrit-Owner: Stefan Sperling <ssperl...@sysmocom.de>

Change in osmocom-bb[master]: prevent heap overflow in tch_fr_disassemble()

Reply via email to