Harald Welte has submitted this change and it was merged.
Change subject: pcu_sock: Don't overflow the timeslot array
......................................................................
pcu_sock: Don't overflow the timeslot array
Don't blindly trust that the ts_nr received on the PCU socket will be
small enough to not overflow our timeslot array!
Change-Id: Ie9964c8dc0ca7b049da7dfec0ac0a0d3f1aedd45
---
M src/common/pcu_sock.c
1 file changed, 6 insertions(+), 0 deletions(-)
Approvals:
Stefan Sperling: Looks good to me, but someone else must approve
Harald Welte: Looks good to me, approved
Jenkins Builder: Verified
diff --git a/src/common/pcu_sock.c b/src/common/pcu_sock.c
index b810174..c8308a9 100644
--- a/src/common/pcu_sock.c
+++ b/src/common/pcu_sock.c
@@ -521,6 +521,12 @@
rc = -EINVAL;
break;
}
+ if (data_req->ts_nr >= ARRAY_SIZE(trx->ts)) {
+ LOGP(DPCU, LOGL_ERROR, "Received PCU data request with "
+ "not existing TS %u\n", data_req->ts_nr);
+ rc = -EINVAL;
+ break;
+ }
ts = &trx->ts[data_req->ts_nr];
is_ptcch = (data_req->sapi == PCU_IF_SAPI_PTCCH);
rc = l1sap_pdch_req(ts, is_ptcch, data_req->fn, data_req->arfcn,
--
To view, visit https://gerrit.osmocom.org/6996
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ie9964c8dc0ca7b049da7dfec0ac0a0d3f1aedd45
Gerrit-PatchSet: 2
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <lafo...@gnumonks.org>
Gerrit-Reviewer: Harald Welte <lafo...@gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Stefan Sperling <ssperl...@sysmocom.de>
