forked from acouzens/open5gs
[PFCP] Fixed Possible heap buffer overflow (#2585)
After examining the call stack and reading the source code, I found that in /lib/core/ogs-pool.h line 152: (pool)->array[i] = i+1; then in lib/pfcp/context.c line 78: pdr_random_to_index[ogs_pfcp_pdr_teid_pool.array[i]] = i; ogs_pfcp_pdr_teid_pool.array[i] may exceed the size of pdr_random_to_index, leading to a heap-buffer-overflow.
This commit is contained in:
parent
2aa12449aa
commit
2fbc445d32
|
@ -72,7 +72,7 @@ void ogs_pfcp_context_init(void)
|
|||
ogs_pool_random_id_generate(&ogs_pfcp_pdr_teid_pool);
|
||||
|
||||
pdr_random_to_index = ogs_calloc(
|
||||
sizeof(ogs_pool_id_t), ogs_pfcp_pdr_pool.size);
|
||||
sizeof(ogs_pool_id_t), ogs_pfcp_pdr_pool.size+1);
|
||||
ogs_assert(pdr_random_to_index);
|
||||
for (i = 0; i < ogs_pfcp_pdr_pool.size; i++)
|
||||
pdr_random_to_index[ogs_pfcp_pdr_teid_pool.array[i]] = i;
|
||||
|
|
Loading…
Reference in New Issue