mirror of https://github.com/PentHertz/srsLTE.git
lib,rlc_am_nr: fix out-of-bounds access when unpacking malformed status PDUs
This commit is contained in:
parent
cc93b5b6b0
commit
e891d72ab8
|
@ -342,6 +342,12 @@ rlc_am_nr_read_status_pdu_12bit_sn(const uint8_t* payload, const uint32_t nof_by
|
||||||
ptr++;
|
ptr++;
|
||||||
|
|
||||||
while (e1 != 0) {
|
while (e1 != 0) {
|
||||||
|
// check buffer headroom
|
||||||
|
if (uint32_t(ptr - payload) >= nof_bytes) {
|
||||||
|
fprintf(stderr, "Malformed PDU, trying to read more bytes than it is available\n");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
// E1 flag set, read a NACK_SN
|
// E1 flag set, read a NACK_SN
|
||||||
rlc_status_nack_t nack = {};
|
rlc_status_nack_t nack = {};
|
||||||
nack.nack_sn = (*ptr & 0xff) << 4;
|
nack.nack_sn = (*ptr & 0xff) << 4;
|
||||||
|
@ -376,10 +382,6 @@ rlc_am_nr_read_status_pdu_12bit_sn(const uint8_t* payload, const uint32_t nof_by
|
||||||
ptr++;
|
ptr++;
|
||||||
}
|
}
|
||||||
status->push_nack(nack);
|
status->push_nack(nack);
|
||||||
if (uint32_t(ptr - payload) > nof_bytes) {
|
|
||||||
fprintf(stderr, "Malformed PDU, trying to read more bytes than it is available\n");
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return SRSRAN_SUCCESS;
|
return SRSRAN_SUCCESS;
|
||||||
|
@ -421,6 +423,12 @@ rlc_am_nr_read_status_pdu_18bit_sn(const uint8_t* payload, const uint32_t nof_by
|
||||||
ptr++;
|
ptr++;
|
||||||
|
|
||||||
while (e1 != 0) {
|
while (e1 != 0) {
|
||||||
|
// check buffer headroom
|
||||||
|
if (uint32_t(ptr - payload) >= nof_bytes) {
|
||||||
|
fprintf(stderr, "Malformed PDU, trying to read more bytes than it is available\n");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
// E1 flag set, read a NACK_SN
|
// E1 flag set, read a NACK_SN
|
||||||
rlc_status_nack_t nack = {};
|
rlc_status_nack_t nack = {};
|
||||||
|
|
||||||
|
@ -458,10 +466,6 @@ rlc_am_nr_read_status_pdu_18bit_sn(const uint8_t* payload, const uint32_t nof_by
|
||||||
ptr++;
|
ptr++;
|
||||||
}
|
}
|
||||||
status->push_nack(nack);
|
status->push_nack(nack);
|
||||||
if (uint32_t(ptr - payload) > nof_bytes) {
|
|
||||||
fprintf(stderr, "Malformed PDU, trying to read more bytes than it is available\n");
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return SRSRAN_SUCCESS;
|
return SRSRAN_SUCCESS;
|
||||||
|
|
Loading…
Reference in New Issue