aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVadim Yanitskiy <vyanitskiy@sysmocom.de>2020-09-03 15:24:05 +0700
committerlaforge <laforge@osmocom.org>2020-09-08 20:19:18 +0000
commit2eda570b750b5bfda858d5f73d619d5989a26d65 (patch)
treeb3e472a956a457f901e024fbcf0474869bd1e9f9
parent16ca3faf849620cccea813d868eea5379faa5903 (diff)
SI Type 4: prevent potential buffer overflow
Make sure that in generate_si4() we do not corrupt other SI buffers by limiting maximum length of the Mobile Allocation to 2 octets. This would preserve at least 2 octets for the Rest Octets, what should be enough to encode at least GPRS Indicator. Change-Id: I2e3553865096faecda6bb22fc25b83fd47b738c4 Related: SYS#4868, OS#4545
-rw-r--r--src/osmo-bsc/system_information.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/osmo-bsc/system_information.c b/src/osmo-bsc/system_information.c
index 2418e3220..b9699899f 100644
--- a/src/osmo-bsc/system_information.c
+++ b/src/osmo-bsc/system_information.c
@@ -974,6 +974,9 @@ static int generate_si4(enum osmo_sysinfo_type t, struct gsm_bts *bts)
/* 10.5.2.21 (TLV) CBCH Mobile Allocation IE */
if (ts->hopping.enabled) {
+ /* Prevent potential buffer overflow */
+ if (ts->hopping.ma_len > 2)
+ return -ENOMEM;
tail = tlv_put(tail, GSM48_IE_CBCH_MOB_AL,
ts->hopping.ma_len,
ts->hopping.ma_data);