Actions
Bug #3289
closedstack buffer overflow in pcu_l1if_tx_pch()
Start date:
05/25/2018
Due date:
% Done:
0%
Spec Reference:
Description
Address sanitizer found the following stack buffer overflow.
I will submit a patch to gerrit shortly.
This is a one-byte overrun due to an off-by-one in the size of a buffer on the stack in pcu_l1if_tx_pch().
% Ignoring deprecated logging level everything <000e> telnet_interface.c:104 telnet at 127.0.0.1 4240 <0001> osmobts_sock.cpp:248 Opening OsmoPCU L1 interface to OsmoBTS <0001> osmobts_sock.cpp:308 osmo-bts PCU socket /tmp/pcu_bts has been connected <0001> osmobts_sock.cpp:312 Sending version 0.5.0.3-7a9c to BTS. <0001> pcu_l1_if.cpp:113 Sending 0.5.0.3-7a9c TXT as PCU_VERSION to BTS <0001> pcu_l1_if.cpp:442 BTS available <000b> gprs_ns.c:266 NSVCI=65534 Creating NS-VC <000b> gprs_ns.c:1622 Listening for nsip packets from 127.0.0.1:23020 on 0.0.0.0:23000 <000b> gprs_ns.c:1641 NS UDP socket at 0.0.0.0:23000 <000b> gprs_ns.c:266 NSVCI=1234 Creating NS-VC <000b> gprs_ns.c:1659 NSEI=1234 RESET procedure based on API request <000b> gprs_ns.c:449 NSEI=1234 Tx NS RESET (NSVCI=1234, cause=O&M intervention) <0001> pcu_l1_if.cpp:125 Sending activate request: trx=0 ts=4 <0001> pcu_l1_if.cpp:569 PDCH: trx=0 ts=4 <0001> pcu_l1_if.cpp:125 Sending activate request: trx=0 ts=5 <0001> pcu_l1_if.cpp:569 PDCH: trx=0 ts=5 <0001> pcu_l1_if.cpp:125 Sending activate request: trx=0 ts=6 <0001> pcu_l1_if.cpp:569 PDCH: trx=0 ts=6 <0001> pcu_l1_if.cpp:125 Sending activate request: trx=0 ts=7 <0001> pcu_l1_if.cpp:569 PDCH: trx=0 ts=7 <000b> gprs_ns.c:998 NSVCI=1234 Rx NS RESET ACK (NSEI=1234, NSVCI=1234) <000b> gprs_ns.c:558 NSEI=1234 Tx NS UNBLOCK (NSVCI=1234) <000b> gprs_ns.c:1420 NSEI=1234 Rx NS UNBLOCK ACK <000d> gprs_bssgp_pcu.cpp:546 NS-VC 1234 is unblocked. <000c> gprs_bssgp_pcu.cpp:825 Sending reset on BVCI 0 <000c> gprs_bssgp_bss.c:294 BSSGP (BVCI=0) Tx BVC-RESET CAUSE=O&M intervention <000c> gprs_bssgp_pcu.cpp:431 rx BVCI_SIGNALLING gprs_bssgp_rx_sign <000c> gprs_bssgp_pcu.cpp:304 Rx BSSGP BVCI=-1 (SIGN) BVC_RESET_ACK <000c> gprs_bssgp_pcu.cpp:833 Sending reset on BVCI 1234 <000c> gprs_bssgp_bss.c:294 BSSGP (BVCI=1234) Tx BVC-RESET CAUSE=O&M intervention <000c> gprs_bssgp_pcu.cpp:431 rx BVCI_SIGNALLING gprs_bssgp_rx_sign <000c> gprs_bssgp_pcu.cpp:304 Rx BSSGP BVCI=-1 (SIGN) BVC_RESET_ACK <000c> gprs_bssgp_pcu.cpp:841 Sending unblock on BVCI 1234 <000c> gprs_bssgp_bss.c:274 BSSGP (BVCI=1234) Tx BVC-BLOCK <000c> gprs_bssgp_pcu.cpp:431 rx BVCI_SIGNALLING gprs_bssgp_rx_sign <000c> gprs_bssgp_pcu.cpp:195 P-TMSI = <0002> gprs_rlcmac.cpp:34 TX: [PCU -> BTS] Paging Request (CCCH) ================================================================= ==2858==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7c579b8a at pc 0x7fe285a6a33e bp 0x7ffc7c579ae0 sp 0x7ffc7c579ad0 WRITE of size 1 at 0x7ffc7c579b8a thread T0 #0 0x7fe285a6a33d in bitvec_pack /home/stsp/osmo/libosmocore/src/bitvec.c:439 #1 0x556b9b7155e1 in pcu_l1if_tx_pch(bitvec*, int, char const*) /home/stsp/osmo/osmo-pcu/src/pcu_l1_if.cpp:230 #2 0x556b9b71060c in gprs_rlcmac_paging_request(unsigned char*, unsigned short, char const*) /home/stsp/osmo/osmo-pcu/src/gprs_rlcmac.cpp:38 #3 0x556b9b70b51f in gprs_bssgp_pcu_rx_paging_ps(msgb*, tlv_parsed*) /home/stsp/osmo/osmo-pcu/src/gprs_bssgp_pcu.cpp:208 #4 0x556b9b70dd4e in gprs_bssgp_pcu_rx_sign /home/stsp/osmo/osmo-pcu/src/gprs_bssgp_pcu.cpp:312 #5 0x556b9b70dd4e in gprs_bssgp_pcu_rcvmsg /home/stsp/osmo/osmo-pcu/src/gprs_bssgp_pcu.cpp:432 #6 0x7fe2867c649c in gprs_ns_rx_unitdata /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:785 #7 0x7fe2867ce236 in gprs_ns_process_msg /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:1401 #8 0x7fe2867cbb6f in gprs_ns_rcvmsg /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:1171 #9 0x7fe2867cfe19 in handle_nsip_read /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:1549 #10 0x7fe2867d0106 in nsip_fd_cb /home/stsp/osmo/libosmocore/src/gb/gprs_ns.c:1582 #11 0x7fe285a60763 in osmo_fd_disp_fds /home/stsp/osmo/libosmocore/src/select.c:217 #12 0x7fe285a60a64 in osmo_select_main /home/stsp/osmo/libosmocore/src/select.c:257 #13 0x556b9b66a766 in main /home/stsp/osmo/osmo-pcu/src/pcu_main.cpp:337 #14 0x7fe284111b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #15 0x556b9b66bf39 in _start (/home/stsp/osmo/prefix/bin/osmo-pcu+0x152f39) Address 0x7ffc7c579b8a is located in stack of thread T0 at offset 58 in frame #0 0x556b9b7153df in pcu_l1if_tx_pch(bitvec*, int, char const*) /home/stsp/osmo/osmo-pcu/src/pcu_l1_if.cpp:219 This frame has 1 object(s): [32, 58) 'data' <== Memory access at offset 58 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/stsp/osmo/libosmocore/src/bitvec.c:439 in bitvec_pack Shadow bytes around the buggy address: 0x10000f8a7320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000f8a7330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000f8a7340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000f8a7350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000f8a7360: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 =>0x10000f8a7370: 00[02]f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 0x10000f8a7380: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10000f8a7390: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 0x10000f8a73a0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 02 f2 f2 f2 0x10000f8a73b0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 0x10000f8a73c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00
Actions