sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[PFCP] Fixed Possible heap buffer overflow (#2585) 

After examining the call stack and reading the source code, I found that
in /lib/core/ogs-pool.h line 152: (pool)->array[i] = i+1;
then in lib/pfcp/context.c line 78: pdr_random_to_index[ogs_pfcp_pdr_teid_pool.array[i]] = i;
ogs_pfcp_pdr_teid_pool.array[i] may exceed the size of pdr_random_to_index, leading to a heap-buffer-overflow.
This commit is contained in:
Sukchan Lee 2023-09-06 07:13:14 +09:00
parent 2aa12449aa
commit 2fbc445d32
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/pfcp/context.c
View File

@ -72,7 +72,7 @@ void ogs_pfcp_context_init(void)
ogs_pool_random_id_generate(&ogs_pfcp_pdr_teid_pool);
pdr_random_to_index = ogs_calloc(
sizeof(ogs_pool_id_t), ogs_pfcp_pdr_pool.size);
sizeof(ogs_pool_id_t), ogs_pfcp_pdr_pool.size+1);
ogs_assert(pdr_random_to_index);
for (i = 0; i < ogs_pfcp_pdr_pool.size; i++)
pdr_random_to_index[ogs_pfcp_pdr_teid_pool.array[i]] = i;