[PATCH] osmo-trx[master]: Transceiver.cpp: prevent out-of-range array access
Hello Pau Espin Pedrol, Jenkins Builder,
I'd like you to reexamine a change. Please visit
https://gerrit.osmocom.org/7174
to look at the new patch set (#2).
Transceiver.cpp: prevent out-of-range array access
There was no a simple range check for both (NO)HANDOVER commands,
so an out-of-range access was possible. For example, a command:
CMD HANDOVER 0 -3
might enable EDGE at run-time, because:
a[i] == *(a + i)
Let's fix this.
Change-Id: I24a5f70e8e8097f218d7cbdef8cb10df2c35416f
---
M Transceiver52M/Transceiver.cpp
1 file changed, 16 insertions(+), 8 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-trx refs/changes/74/7174/2
diff --git a/Transceiver52M/Transceiver.cpp b/Transceiver52M/Transceiver.cpp
index 859a1de..2d3771c 100644
--- a/Transceiver52M/Transceiver.cpp
+++ b/Transceiver52M/Transceiver.cpp
@@ -727,15 +727,23 @@
}
}
} else if (match_cmd(command, "HANDOVER", )) {
-int ts=0,ss=0;
-sscanf(params, "%d %d", , );
-mHandover[ts][ss] = true;
-sprintf(response,"RSP HANDOVER 0 %d %d",ts,ss);
+unsigned ts = 0, ss = 0;
+sscanf(params, "%u %u", , );
+if (ts > 7 || ss > 7) {
+ sprintf(response, "RSP NOHANDOVER 1 %u %u", ts, ss);
+} else {
+ mHandover[ts][ss] = true;
+ sprintf(response, "RSP HANDOVER 0 %u %u", ts, ss);
+}
} else if (match_cmd(command, "NOHANDOVER", )) {
-int ts=0,ss=0;
-sscanf(params, "%d %d", , );
-mHandover[ts][ss] = false;
-sprintf(response,"RSP NOHANDOVER 0 %d %d",ts,ss);
+unsigned ts = 0, ss = 0;
+sscanf(params, "%u %u", , );
+if (ts > 7 || ss > 7) {
+ sprintf(response, "RSP NOHANDOVER 1 %u %u", ts, ss);
+} else {
+ mHandover[ts][ss] = false;
+ sprintf(response, "RSP NOHANDOVER 0 %u %u", ts, ss);
+}
} else if (match_cmd(command, "SETMAXDLY", )) {
//set expected maximum time-of-arrival
int maxDelay;
--
To view, visit https://gerrit.osmocom.org/7174
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I24a5f70e8e8097f218d7cbdef8cb10df2c35416f
Gerrit-PatchSet: 2
Gerrit-Project: osmo-trx
Gerrit-Branch: master
Gerrit-Owner: Vadim Yanitskiy
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Pau Espin Pedrol
[PATCH] osmo-trx[master]: Transceiver.cpp: prevent out-of-range array access
Review at https://gerrit.osmocom.org/7174
Transceiver.cpp: prevent out-of-range array access
There was no a simple range check for both (NO)HANDOVER commands,
so an out-of-range access was possible. For example, a command:
CMD HANDOVER 0 -3
might enable EDGE at run-time, because:
a[i] == *(a + i)
Let's fix this.
Change-Id: I24a5f70e8e8097f218d7cbdef8cb10df2c35416f
---
M Transceiver52M/Transceiver.cpp
1 file changed, 16 insertions(+), 8 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-trx refs/changes/74/7174/1
diff --git a/Transceiver52M/Transceiver.cpp b/Transceiver52M/Transceiver.cpp
index 139747c..112cff6 100644
--- a/Transceiver52M/Transceiver.cpp
+++ b/Transceiver52M/Transceiver.cpp
@@ -727,15 +727,23 @@
}
}
} else if (MATCH_CMD(command, "HANDOVER", )) {
-int ts=0,ss=0;
-sscanf(params, "%d %d", , );
-mHandover[ts][ss] = true;
-sprintf(response,"RSP HANDOVER 0 %d %d",ts,ss);
+unsigned ts = 0, ss = 0;
+sscanf(params, "%u %u", , );
+if (ts > 7 || ss > 7) {
+ sprintf(response, "RSP NOHANDOVER 1 %u %u", ts, ss);
+} else {
+ mHandover[ts][ss] = true;
+ sprintf(response, "RSP HANDOVER 0 %u %u", ts, ss);
+}
} else if (MATCH_CMD(command, "NOHANDOVER", )) {
-int ts=0,ss=0;
-sscanf(params, "%d %d", , );
-mHandover[ts][ss] = false;
-sprintf(response,"RSP NOHANDOVER 0 %d %d",ts,ss);
+unsigned ts = 0, ss = 0;
+sscanf(params, "%u %u", , );
+if (ts > 7 || ss > 7) {
+ sprintf(response, "RSP NOHANDOVER 1 %u %u", ts, ss);
+} else {
+ mHandover[ts][ss] = false;
+ sprintf(response, "RSP NOHANDOVER 0 %u %u", ts, ss);
+}
} else if (MATCH_CMD(command, "SETMAXDLY", )) {
//set expected maximum time-of-arrival
int maxDelay;
--
To view, visit https://gerrit.osmocom.org/7174
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I24a5f70e8e8097f218d7cbdef8cb10df2c35416f
Gerrit-PatchSet: 1
Gerrit-Project: osmo-trx
Gerrit-Branch: master
Gerrit-Owner: Vadim Yanitskiy
