From 9d6d9a6b3bac4885ad4828aec33d62fad9544795 Mon Sep 17 00:00:00 2001 From: Stefan Sperling Date: Thu, 23 Aug 2018 14:44:53 +0200 Subject: osmocon: fix read buffer overrun in romload_prepare_block() Address sanitizer triggered when trying to chainload firmware: ==18466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000027850 at pc 0x7f5b94cfb733 bp 0x7ffe33e1ae30 sp 0x7ffe33e1a5d8 READ of size 1014 at 0x631000027850 thread T0 #0 0x7f5b94cfb732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) #1 0x563db4293e6e in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 #2 0x563db4293e6e in romload_prepare_block osmocom-bb/src/host/osmocon/osmocon.c:473 #3 0x563db429541f in handle_read_romload osmocom-bb/src/host/osmocon/osmocon.c:959 #4 0x563db429541f in serial_read osmocom-bb/src/host/osmocon/osmocon.c:1168 #5 0x7f5b94722c83 in osmo_fd_disp_fds libosmocore/src/select.c:217 #6 0x7f5b94722f84 in osmo_select_main libosmocore/src/select.c:257 #7 0x563db4293b1c in main osmocom-bb/src/host/osmocon/osmocon.c:1525 #8 0x7f5b942b9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x563db4293c79 in _start (prefix/sbin/osmocon+0x1c79) 0x631000027850 is located 0 bytes to the right of 77904-byte region [0x631000014800,0x631000027850) allocated by thread T0 here: #0 0x7f5b94d60b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x563db4294d65 in read_file osmocom-bb/src/host/osmocon/osmocon.c:314 Change-Id: Ie2955e11dd1af75574536774ef7ddf88ddf1fe8b --- src/host/osmocon/osmocon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/host/osmocon') diff --git a/src/host/osmocon/osmocon.c b/src/host/osmocon/osmocon.c index a9497dc4..6075e610 100644 --- a/src/host/osmocon/osmocon.c +++ b/src/host/osmocon/osmocon.c @@ -471,7 +471,7 @@ static int romload_prepare_block(void) remaining_bytes = dnload.data_len - 3 - (dnload.block_payload_size * dnload.block_number); - memcpy(block_data, dnload.write_ptr, dnload.block_payload_size); + memcpy(block_data, dnload.write_ptr, OSMO_MIN(dnload.block_payload_size, remaining_bytes)); if (remaining_bytes <= dnload.block_payload_size) { fill_bytes = (dnload.block_payload_size - remaining_bytes); -- cgit v1.2.3