Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-sgsn / a60bb3dd28ce9e3720f8ee1b262893f3e233e2e6^! / .
commita60bb3dd28ce9e3720f8ee1b262893f3e233e2e6[log] [tgz]
authorMax <msuraev@sysmocom.de>Mon Jun 12 13:45:03 2017 +0200
committerMax <msuraev@sysmocom.de>Mon Jun 12 13:45:03 2017 +0200
treebe698dbb4442c6a179eea00109466ee66beb9ce0
parentc51c1e795091ba7663a2303bda48cb12fa327c19 [diff]
OML: fix potential OOB memory access

Use sizeof target BTS feature storage to make sure we always fit into
pre-allocated memory. Also use it for log check.

Change-Id: Ib107daa6e8b9bc397a10756071849f8ff82455d5
Fixes: CID 170581

diff --git a/openbsc/src/libbsc/abis_nm.c b/openbsc/src/libbsc/abis_nm.c
index 551c0bf..1715688 100644
--- a/openbsc/src/libbsc/abis_nm.c
+++ b/openbsc/src/libbsc/abis_nm.c

@@ -490,13 +490,13 @@
 			m_id_len = MAX_BTS_FEATURES/8;
 		}
 
-		if (m_id_len > _NUM_BTS_FEAT/8 + 1)
+		if (m_id_len > sizeof(bts->_features_data))
 			LOGP(DNM, LOGL_NOTICE, "BTS%u Get Attributes Response: reported unexpectedly long (%u bytes) "
 			     "feature vector - most likely it was compiled against newer BSC headers. "
 			     "Consider upgrading your BSC to later version.\n",
 			     bts->nr, m_id_len);
 
-		memcpy(bts->_features_data, TLVP_VAL(&tp, NM_ATT_MANUF_ID), m_id_len);
+		memcpy(bts->_features_data, TLVP_VAL(&tp, NM_ATT_MANUF_ID), sizeof(bts->_features_data));
 		adjust = m_id_len + 3; /* adjust for parsed TL16V struct */
 
 		for (i = 0; i < _NUM_BTS_FEAT; i++)