Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-pcu / 32499b614b9453f50df806ff52a4e3d1654d0e4f^! / . / src / pcu_l1_if.cpp
commit32499b614b9453f50df806ff52a4e3d1654d0e4f[log] [tgz]
authorPau Espin Pedrol <pespin@sysmocom.de>Mon Dec 09 13:55:12 2019 +0100
committerPau Espin Pedrol <pespin@sysmocom.de>Mon Dec 09 13:55:14 2019 +0100
tree3b5c96090d4287767bbd2d51d14faac9052655ae
parent30f6617c799d3b8fd7ce705aa0becac40b830a50 [diff] [blame]
pcu_l1_if: Check pag_req id_lv len fits buffer

Related: OS#4316
Change-Id: I803e1d2577a0d210e74feb5ca4c216375a5024ea

diff --git a/src/pcu_l1_if.cpp b/src/pcu_l1_if.cpp
index 5e22c5c..98e697d 100644
--- a/src/pcu_l1_if.cpp
+++ b/src/pcu_l1_if.cpp

@@ -19,6 +19,7 @@
 
 #include <stdio.h>
 #include <unistd.h>
+#include <inttypes.h>
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
@@ -636,6 +637,13 @@
 	LOGP(DL1IF, LOGL_DEBUG, "Paging request received: chan_needed=%d "
 		"length=%d\n", pag_req->chan_needed, pag_req->identity_lv[0]);
 
+	/* check if identity does not fit: length > sizeof(lv) - 1 */
+	if (pag_req->identity_lv[0] >= sizeof(pag_req->identity_lv)) {
+		LOGP(DL1IF, LOGL_ERROR, "Paging identity too large (%" PRIu8 ")\n",
+			pag_req->identity_lv[0]);
+		return -EINVAL;
+	}
+
 	return BTS::main_bts()->add_paging(pag_req->chan_needed,
 						pag_req->identity_lv);
 }