pcu_l1_if: Check pag_req id_lv len fits buffer
Related: OS#4316
Change-Id: I803e1d2577a0d210e74feb5ca4c216375a5024ea
diff --git a/src/pcu_l1_if.cpp b/src/pcu_l1_if.cpp
index 5e22c5c..98e697d 100644
--- a/src/pcu_l1_if.cpp
+++ b/src/pcu_l1_if.cpp
@@ -19,6 +19,7 @@
#include <stdio.h>
#include <unistd.h>
+#include <inttypes.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
@@ -636,6 +637,13 @@
LOGP(DL1IF, LOGL_DEBUG, "Paging request received: chan_needed=%d "
"length=%d\n", pag_req->chan_needed, pag_req->identity_lv[0]);
+ /* check if identity does not fit: length > sizeof(lv) - 1 */
+ if (pag_req->identity_lv[0] >= sizeof(pag_req->identity_lv)) {
+ LOGP(DL1IF, LOGL_ERROR, "Paging identity too large (%" PRIu8 ")\n",
+ pag_req->identity_lv[0]);
+ return -EINVAL;
+ }
+
return BTS::main_bts()->add_paging(pag_req->chan_needed,
pag_req->identity_lv);
}