Actions
Bug #3289
closedstack buffer overflow in pcu_l1if_tx_pch()
Start date:
05/25/2018
Due date:
% Done:
0%
Spec Reference:
Description
Address sanitizer found the following stack buffer overflow.
I will submit a patch to gerrit shortly.
This is a one-byte overrun due to an off-by-one in the size of a buffer on the stack in pcu_l1if_tx_pch().
% Ignoring deprecated logging level everything
<000e> telnet_interface.c:104 telnet at 127.0.0.1 4240
<0001> osmobts_sock.cpp:248 Opening OsmoPCU L1 interface to OsmoBTS
<0001> osmobts_sock.cpp:308 osmo-bts PCU socket /tmp/pcu_bts has been connected
<0001> osmobts_sock.cpp:312 Sending version 0.5.0.3-7a9c to BTS.
<0001> pcu_l1_if.cpp:113 Sending 0.5.0.3-7a9c TXT as PCU_VERSION to BTS
<0001> pcu_l1_if.cpp:442 BTS available
<000b> gprs_ns.c:266 NSVCI=65534 Creating NS-VC
<000b> gprs_ns.c:1622 Listening for nsip packets from 127.0.0.1:23020 on 0.0.0.0:23000
<000b> gprs_ns.c:1641 NS UDP socket at 0.0.0.0:23000
<000b> gprs_ns.c:266 NSVCI=1234 Creating NS-VC
<000b> gprs_ns.c:1659 NSEI=1234 RESET procedure based on API request
<000b> gprs_ns.c:449 NSEI=1234 Tx NS RESET (NSVCI=1234, cause=O&M intervention)
<0001> pcu_l1_if.cpp:125 Sending activate request: trx=0 ts=4
<0001> pcu_l1_if.cpp:569 PDCH: trx=0 ts=4
<0001> pcu_l1_if.cpp:125 Sending activate request: trx=0 ts=5
<0001> pcu_l1_if.cpp:569 PDCH: trx=0 ts=5
<0001> pcu_l1_if.cpp:125 Sending activate request: trx=0 ts=6
<0001> pcu_l1_if.cpp:569 PDCH: trx=0 ts=6
<0001> pcu_l1_if.cpp:125 Sending activate request: trx=0 ts=7
<0001> pcu_l1_if.cpp:569 PDCH: trx=0 ts=7
<000b> gprs_ns.c:998 NSVCI=1234 Rx NS RESET ACK (NSEI=1234, NSVCI=1234)
<000b> gprs_ns.c:558 NSEI=1234 Tx NS UNBLOCK (NSVCI=1234)
<000b> gprs_ns.c:1420 NSEI=1234 Rx NS UNBLOCK ACK
<000d> gprs_bssgp_pcu.cpp:546 NS-VC 1234 is unblocked.
<000c> gprs_bssgp_pcu.cpp:825 Sending reset on BVCI 0
<000c> gprs_bssgp_bss.c:294 BSSGP (BVCI=0) Tx BVC-RESET CAUSE=O&M intervention
<000c> gprs_bssgp_pcu.cpp:431 rx BVCI_SIGNALLING gprs_bssgp_rx_sign
<000c> gprs_bssgp_pcu.cpp:304 Rx BSSGP BVCI=-1 (SIGN) BVC_RESET_ACK
<000c> gprs_bssgp_pcu.cpp:833 Sending reset on BVCI 1234
<000c> gprs_bssgp_bss.c:294 BSSGP (BVCI=1234) Tx BVC-RESET CAUSE=O&M intervention
<000c> gprs_bssgp_pcu.cpp:431 rx BVCI_SIGNALLING gprs_bssgp_rx_sign
<000c> gprs_bssgp_pcu.cpp:304 Rx BSSGP BVCI=-1 (SIGN) BVC_RESET_ACK
<000c> gprs_bssgp_pcu.cpp:841 Sending unblock on BVCI 1234
<000c> gprs_bssgp_bss.c:274 BSSGP (BVCI=1234) Tx BVC-BLOCK
<000c> gprs_bssgp_pcu.cpp:431 rx BVCI_SIGNALLING gprs_bssgp_rx_sign
<000c> gprs_bssgp_pcu.cpp:195 P-TMSI =
<0002> gprs_rlcmac.cpp:34 TX: [PCU -> BTS] Paging Request (CCCH)
=================================================================
==2858==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7c579b8a at pc 0x7fe285a6a33e bp 0x7ffc7c579ae0 sp 0x7ffc7c579ad0
WRITE of size 1 at 0x7ffc7c579b8a thread T0
#0 0x7fe285a6a33d in bitvec_pack /home/stsp/osmo/libosmocore/src/bitvec.c:439
#1 0x556b9b7155e1 in pcu_l1if_tx_pch(bitvec*, int, char const*) /home/stsp/osmo/osmo-pcu/src/pcu_l1_if.cpp:230
#2 0x556b9b71060c in gprs_rlcmac_paging_request(unsigned char*, unsigned short, char const*) /home/stsp/osmo/osmo-pcu/src/gprs_rlcmac.cpp:38
#3 0x556b9b70b51f in gprs_bssgp_pcu_rx_paging_ps(msgb*, tlv_parsed*) /home/stsp/osmo/osmo-pcu/src/gprs_bssgp_pcu.cpp:208
#4 0x556b9b70dd4e in gprs_bssgp_pcu_rx_sign /home/stsp/osmo/osmo-pcu/src/gprs_bssgp_pcu.cpp:312
#5 0x556b9b70dd4e in gprs_bssgp_pcu_rcvmsg /home/stsp/osmo/osmo-pcu/src/gprs_bssgp_pcu.cpp:432
#6 0x7fe2867c649c in gprs_ns_rx_unitdata /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:785
#7 0x7fe2867ce236 in gprs_ns_process_msg /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:1401
#8 0x7fe2867cbb6f in gprs_ns_rcvmsg /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:1171
#9 0x7fe2867cfe19 in handle_nsip_read /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:1549
#10 0x7fe2867d0106 in nsip_fd_cb /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:1582
#11 0x7fe285a60763 in osmo_fd_disp_fds /home/stsp/osmo/libosmocore/src/select.c:217
#12 0x7fe285a60a64 in osmo_select_main /home/stsp/osmo/libosmocore/src/select.c:257
#13 0x556b9b66a766 in main /home/stsp/osmo/osmo-pcu/src/pcu_main.cpp:337
#14 0x7fe284111b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#15 0x556b9b66bf39 in _start (/home/stsp/osmo/prefix/bin/osmo-pcu+0x152f39)
Address 0x7ffc7c579b8a is located in stack of thread T0 at offset 58 in frame
#0 0x556b9b7153df in pcu_l1if_tx_pch(bitvec*, int, char const*) /home/stsp/osmo/osmo-pcu/src/pcu_l1_if.cpp:219
This frame has 1 object(s):
[32, 58) 'data' <== Memory access at offset 58 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/stsp/osmo/libosmocore/src/bitvec.c:439 in bitvec_pack
Shadow bytes around the buggy address:
0x10000f8a7320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f8a7330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f8a7340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f8a7350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f8a7360: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
=>0x10000f8a7370: 00[02]f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
0x10000f8a7380: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10000f8a7390: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f8a73a0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 02 f2 f2 f2
0x10000f8a73b0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f8a73c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Actions
