From 75a6fa8e906093af76e7d2671a8cdb00deff8aa2 Mon Sep 17 00:00:00 2001 From: Andre Puschmann Date: Sun, 13 May 2018 10:08:43 +0200 Subject: [PATCH] check and protect PDUs buffer in handle_data_pdu() --- lib/src/upper/rlc_am.cc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/src/upper/rlc_am.cc b/lib/src/upper/rlc_am.cc index fd90085d1..461d5141d 100644 --- a/lib/src/upper/rlc_am.cc +++ b/lib/src/upper/rlc_am.cc @@ -920,6 +920,13 @@ void rlc_am::handle_data_pdu(uint8_t *payload, uint32_t nof_bytes, rlc_amd_pdu_h #endif } + // check available space for payload + if (nof_bytes > pdu.buf->get_tailroom()) { + log->error("%s Discarding SN: %d of size %d B (available space %d B)\n", + rrc->get_rb_name(lcid).c_str(), header.sn, nof_bytes, pdu.buf->get_tailroom()); + pool->deallocate(pdu.buf); + return; + } memcpy(pdu.buf->msg, payload, nof_bytes); pdu.buf->N_bytes = nof_bytes; memcpy(&pdu.header, &header, sizeof(rlc_amd_pdu_header_t));