From 2eda570b750b5bfda858d5f73d619d5989a26d65 Mon Sep 17 00:00:00 2001
From: Vadim Yanitskiy <vyanitskiy@sysmocom.de>
Date: Thu, 3 Sep 2020 15:24:05 +0700
Subject: SI Type 4: prevent potential buffer overflow

Make sure that in generate_si4() we do not corrupt other SI buffers
by limiting maximum length of the Mobile Allocation to 2 octets.
This would preserve at least 2 octets for the Rest Octets, what
should be enough to encode at least GPRS Indicator.

Change-Id: I2e3553865096faecda6bb22fc25b83fd47b738c4
Related: SYS#4868, OS#4545
---
 src/osmo-bsc/system_information.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/osmo-bsc/system_information.c b/src/osmo-bsc/system_information.c
index 2418e3220..b9699899f 100644
--- a/src/osmo-bsc/system_information.c
+++ b/src/osmo-bsc/system_information.c
@@ -974,6 +974,9 @@ static int generate_si4(enum osmo_sysinfo_type t, struct gsm_bts *bts)
 
 		/* 10.5.2.21 (TLV) CBCH Mobile Allocation IE */
 		if (ts->hopping.enabled) {
+			/* Prevent potential buffer overflow */
+			if (ts->hopping.ma_len > 2)
+				return -ENOMEM;
 			tail = tlv_put(tail, GSM48_IE_CBCH_MOB_AL,
 				       ts->hopping.ma_len,
 				       ts->hopping.ma_data);
-- 
cgit v1.2.3