From 01e06046379350aa9090ef785a9b0fe2ca03ce23 Mon Sep 17 00:00:00 2001
From: Sylvain Munaut <tnt@246tNt.com>
Date: Thu, 3 Jan 2013 09:36:16 +0100
Subject: core/bits: Prevent osmo_revbytebits_buf stack trashing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The second loop in osmo_revbytebits_buf() in src/bits.c grabs
4 bytes each iteration, which can easily go past the supplied
input in some cases.

Compiled with -fstack-protector , I get a "stack smashing detected"
in the bits test.

From: Nils O. Selåsdal <noselasd@fiane.dyndns.org>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
---
 src/bits.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/bits.c b/src/bits.c
index 4c67bddb..a159fc96 100644
--- a/src/bits.c
+++ b/src/bits.c
@@ -173,7 +173,7 @@ void osmo_revbytebits_buf(uint8_t *buf, int len)
 			return;
 	}
 
-	for (i = unaligned_cnt; i < len; i += 4) {
+	for (i = unaligned_cnt; i + 3 < len; i += 4) {
 		uint32_t *cur = (uint32_t *) (buf + i);
 		*cur = osmo_revbytebits_32(*cur);
 		len_remain -= 4;
-- 
cgit v1.2.3