fixeria has submitted this change. (
https://gerrit.osmocom.org/c/osmo-bts/+/38313?usp=email )
(
2 is the latest approved patch-set.
No files were changed between the latest approved patch-set and the submitted
one.
)Change subject: l1sap: prevent buffer overflow in l1sap_rtp_rx_cb()
......................................................................
l1sap: prevent buffer overflow in l1sap_rtp_rx_cb()
Change-Id: I214070ecf7458202922475505a8747950bedf930
Fixes: d1f8f3429 "l1sap: proper rate adaptation for CSD"
---
M src/common/l1sap.c
1 file changed, 9 insertions(+), 1 deletion(-)
Approvals:
falconia: Looks good to me, but someone else must approve
fixeria: Looks good to me, approved
Jenkins Builder: Verified
laforge: Looks good to me, but someone else must approve
diff --git a/src/common/l1sap.c b/src/common/l1sap.c
index 5a900f8..63be237 100644
--- a/src/common/l1sap.c
+++ b/src/common/l1sap.c
@@ -2460,7 +2460,9 @@
OSMO_ASSERT(0);
}
- msg = l1sap_msgb_alloc(512);
+#define L1SAP_MSGB_L2LEN_TCH 512
+
+ msg = l1sap_msgb_alloc(L1SAP_MSGB_L2LEN_TCH);
if (!msg)
return;
@@ -2479,6 +2481,12 @@
return;
}
} else {
+ if (OSMO_UNLIKELY(rtp_pl_len > L1SAP_MSGB_L2LEN_TCH)) {
+ LOGPLCHAN(lchan, DL1P, LOGL_ERROR,
+ "%s(): incoming RTP truncated: %u -> %u\n",
+ __func__, rtp_pl_len, L1SAP_MSGB_L2LEN_TCH);
+ rtp_pl_len = L1SAP_MSGB_L2LEN_TCH; /* truncate */
+ }
memcpy(msgb_put(msg, rtp_pl_len), rtp_pl, rtp_pl_len);
}
--
To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/38313?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: merged
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Change-Id: I214070ecf7458202922475505a8747950bedf930
Gerrit-Change-Number: 38313
Gerrit-PatchSet: 3
Gerrit-Owner: fixeria <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: falconia <[email protected]>
Gerrit-Reviewer: fixeria <[email protected]>
Gerrit-Reviewer: laforge <[email protected]>
