- Fixed a heap corruption where recvfrom could write past the buffer end.

srsepc/src/mme/mme.cc

@@ -170,7 +170,7 @@ void mme::run_thread()
       }
       // Handle S11
       if (FD_ISSET(s11, &m_set)) {
-        pdu->N_bytes = recvfrom(s11, pdu->msg, SRSLTE_MAX_BUFFER_SIZE_BYTES, 0, NULL, NULL);
+        pdu->N_bytes = recvfrom(s11, pdu->msg, sz, 0, NULL, NULL);
         m_mme_gtpc->handle_s11_pdu(pdu);
       }
       // Handle NAS Timers

srsepc/src/mme/mme_gtpc.cc

@@ -146,7 +146,6 @@ bool mme_gtpc::send_create_session_request(uint64_t imsi)
   bzero(&cs_req_pdu, sizeof(struct srslte::gtpc_pdu));
 
   // Setup GTP-C Header. TODO: Length, sequence and other fields need to be added.
-  cs_req_pdu.union_field_size    = sizeof(srslte::gtpc_create_session_request);
   cs_req_pdu.header.piggyback    = false;
   cs_req_pdu.header.teid_present = true;
   cs_req_pdu.header.teid         = 0; // Send create session request to the butler TEID

srsepc/src/spgw/gtpc.cc

@@ -200,9 +200,9 @@ void spgw::gtpc::handle_create_session_request(const struct srslte::gtpc_create_
   tunnel_ctx = create_gtpc_ctx(cs_req);
 
   // Create session response message
-  srslte::gtpc_pdu                      cs_resp_pdu;
-  srslte::gtpc_header*                  header  = &cs_resp_pdu.header;
-  srslte::gtpc_create_session_response* cs_resp = &cs_resp_pdu.choice.create_session_response;
+  srslte::gtpc_pdu                      cs_resp_pdu = {};
+  srslte::gtpc_header*                  header      = &cs_resp_pdu.header;
+  srslte::gtpc_create_session_response* cs_resp     = &cs_resp_pdu.choice.create_session_response;
 
   // Setup GTP-C header
   header->piggyback    = false;