SI Type 4: prevent potential buffer overflow Make sure that in generate_si4() we do not corrupt other SI buffers by limiting maximum length of the Mobile Allocation to 2 octets. This would preserve at least 2 octets for the Rest Octets, what should be enough to encode at least GPRS Indicator. Change-Id: I2e3553865096faecda6bb22fc25b83fd47b738c4 Related: SYS#4868, OS#4545

commit: 2eda570b750b5bfda858d5f73d619d5989a26d65 [log] [tgz]
author: Vadim Yanitskiy <vyanitskiy@sysmocom.de> Thu Sep 03 15:24:05 2020 +0700
committer: laforge <laforge@osmocom.org> Tue Sep 08 20:19:18 2020 +0000
tree: b3e472a956a457f901e024fbcf0474869bd1e9f9
parent: 16ca3faf849620cccea813d868eea5379faa5903 [diff]
diff --git a/src/osmo-bsc/system_information.c b/src/osmo-bsc/system_information.c
index 2418e32..b969989 100644
--- a/src/osmo-bsc/system_information.c
+++ b/src/osmo-bsc/system_information.c

@@ -974,6 +974,9 @@
 
 		/* 10.5.2.21 (TLV) CBCH Mobile Allocation IE */
 		if (ts->hopping.enabled) {
+			/* Prevent potential buffer overflow */
+			if (ts->hopping.ma_len > 2)
+				return -ENOMEM;
 			tail = tlv_put(tail, GSM48_IE_CBCH_MOB_AL,
 				       ts->hopping.ma_len,
 				       ts->hopping.ma_data);
commit	2eda570b750b5bfda858d5f73d619d5989a26d65	[log] [tgz]
author	Vadim Yanitskiy <vyanitskiy@sysmocom.de>	Thu Sep 03 15:24:05 2020 +0700
committer	laforge <laforge@osmocom.org>	Tue Sep 08 20:19:18 2020 +0000
tree	b3e472a956a457f901e024fbcf0474869bd1e9f9
parent	16ca3faf849620cccea813d868eea5379faa5903 [diff]