From 2ca894df018cf811c2eaac1964fd65c4bec28c62 Mon Sep 17 00:00:00 2001
From: Andre Puschmann <andre@softwareradiosystems.com>
Date: Sat, 2 Jan 2021 17:10:12 +0100
Subject: [PATCH] pdu: fortify RAR packing

detected with ASAN trying to write negative number of padding bytes.

The patch checks the calculated length and returns with an error
if the length is negative.

=================================================================
==5759==AddressSanitizer: while reporting a bug found another one. Ignoring.
m==5759==ERROR: AddressSanitizer: negative-size-param: (size=-6)
---
 lib/src/mac/pdu.cc | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/src/mac/pdu.cc b/lib/src/mac/pdu.cc
index 8ff97ea3f..43d3fc3f5 100644
--- a/lib/src/mac/pdu.cc
+++ b/lib/src/mac/pdu.cc
@@ -1068,7 +1068,18 @@ bool rar_pdu::write_packet(uint8_t* ptr)
   }
 
   // Set padding to zeros (if any)
-  bzero(ptr, (rem_len - (ptr - init_ptr)) * sizeof(uint8_t));
+  int32_t payload_len = ptr - init_ptr;
+  int32_t pad_len     = rem_len - payload_len;
+  if (pad_len < 0) {
+    if (log_h) {
+      log_h->error("Error packing RAR PDU (payload_len=%d, rem_len=%d)\n", payload_len, rem_len);
+    } else {
+      srslte::console("Error packing RAR PDU (payload_len=%d, rem_len=%d)\n", payload_len, rem_len);
+    }
+    return false;
+  } else {
+    bzero(ptr, pad_len * sizeof(uint8_t));
+  }
 
   return true;
 }