SI Type 4: prevent potential buffer overflow
Make sure that in generate_si4() we do not corrupt other SI buffers
by limiting maximum length of the Mobile Allocation to 2 octets.
This would preserve at least 2 octets for the Rest Octets, what
should be enough to encode at least GPRS Indicator.
Change-Id: I2e3553865096faecda6bb22fc25b83fd47b738c4
Related: SYS#4868, OS#4545
diff --git a/src/osmo-bsc/system_information.c b/src/osmo-bsc/system_information.c
index 2418e32..b969989 100644
--- a/src/osmo-bsc/system_information.c
+++ b/src/osmo-bsc/system_information.c
@@ -974,6 +974,9 @@
/* 10.5.2.21 (TLV) CBCH Mobile Allocation IE */
if (ts->hopping.enabled) {
+ /* Prevent potential buffer overflow */
+ if (ts->hopping.ma_len > 2)
+ return -ENOMEM;
tail = tlv_put(tail, GSM48_IE_CBCH_MOB_AL,
ts->hopping.ma_len,
ts->hopping.ma_data);