[1/4] nat: Fix timeslot range in 'show bsc mgcp' VTY command
diff mbox

Message ID 1428421790-3423-1-git-send-email-jerlbeck@sysmocom.de
State Accepted
Headers show

Commit Message

Jacob Erlbeck April 7, 2015, 3:49 p.m. UTC
Currently the inner loop in show_bsc_mgcp iterates of the timeslot
interval [0, 31]. Timeslot 0 is not valid, which causes
mgcp_timeslot_to_endpoint to generate a corresponding warning and to
return an invalid endp value. That value causes an out-of-bound
read access, possibly hitting unallocated memory.

This patch fixes the loop range by starting with timeslot 1.

Note that this does not prevent mgcp_timeslot_to_endpoint from
returning an invalid endpoint index when called with arguments not
within its domain.

Addresses:
<000b> ../../include/openbsc/mgcp.h:250 Timeslot should not be 0
[...]
    vty=0xb4203db0, argc=1, argv=0xbfffebb0) at bsc_nat_vty.c:256
        max = 1
        con = 0xb4a004f0
        i = 0
        j = 0
[...]
==15700== ERROR: AddressSanitizer: heap-use-after-free on address
0xb520be4f at pc 0x8062a42 bp 0xbfffeb18 sp 0xbfffeb0c

Sponsored-by: On-Waves ehf
---
 openbsc/src/osmo-bsc_nat/bsc_nat_vty.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch
diff mbox

diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c b/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c
index 5f4ad28..2b7db2e 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_nat_vty.c
@@ -250,7 +250,7 @@  DEFUN(show_bsc_mgcp, show_bsc_mgcp_cmd, "show bsc mgcp NR",
 		vty_out(vty, "MGCP Status for %d%s", con->cfg->nr, VTY_NEWLINE);
 		max = bsc_mgcp_nr_multiplexes(con->max_endpoints);
 		for (i = 0; i < max; ++i) {
-			for (j = 0; j < 32; ++j) {
+			for (j = 1; j < 32; ++j) {
 				endp = mgcp_timeslot_to_endpoint(i, j);
 				vty_out(vty, " Endpoint 0x%x %s%s", endp,
 					con->_endpoint_status[endp] == 0