Harald Welte has submitted this change and it was merged. Change subject: pcu_sock: Don't overflow the timeslot array ......................................................................
pcu_sock: Don't overflow the timeslot array Don't blindly trust that the ts_nr received on the PCU socket will be small enough to not overflow our timeslot array! Change-Id: Ie9964c8dc0ca7b049da7dfec0ac0a0d3f1aedd45 --- M src/common/pcu_sock.c 1 file changed, 6 insertions(+), 0 deletions(-) Approvals: Stefan Sperling: Looks good to me, but someone else must approve Harald Welte: Looks good to me, approved Jenkins Builder: Verified diff --git a/src/common/pcu_sock.c b/src/common/pcu_sock.c index b810174..c8308a9 100644 --- a/src/common/pcu_sock.c +++ b/src/common/pcu_sock.c @@ -521,6 +521,12 @@ rc = -EINVAL; break; } + if (data_req->ts_nr >= ARRAY_SIZE(trx->ts)) { + LOGP(DPCU, LOGL_ERROR, "Received PCU data request with " + "not existing TS %u\n", data_req->ts_nr); + rc = -EINVAL; + break; + } ts = &trx->ts[data_req->ts_nr]; is_ptcch = (data_req->sapi == PCU_IF_SAPI_PTCCH); rc = l1sap_pdch_req(ts, is_ptcch, data_req->fn, data_req->arfcn, -- To view, visit https://gerrit.osmocom.org/6996 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ie9964c8dc0ca7b049da7dfec0ac0a0d3f1aedd45 Gerrit-PatchSet: 2 Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Owner: Harald Welte <lafo...@gnumonks.org> Gerrit-Reviewer: Harald Welte <lafo...@gnumonks.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: Stefan Sperling <ssperl...@sysmocom.de>