forked from acouzens/open5gs
Daniel Willmann
ef60207c1e
The current code uses the cc request number as an index to the transaction array (xact/xact_data). Since cc request number is a 32 bit integer this is unfeasible for longer sessions and if more than a handful of messages are exchanged per session. The array size was already increased in #2038 which simply delays the issue. Furthermore, the current code asserts that cc_request_number is <= MAX_CC_REQUEST_NUMBER which leads to an out-of-bounds write if cc_request_number == MAX_CC_REQUEST_NUMBER. Instead use a smaller array and index into it using cc_request_number % array size. More than 2 requests should never be in flight at any one time (initial or update request together with a termination request) so an array size of 4 should be fine. |
||
|---|---|---|
| .. | ||
| amf | ||
| ausf | ||
| bsf | ||
| hss | ||
| mme | ||
| nrf | ||
| nssf | ||
| pcf | ||
| pcrf | ||
| scp | ||
| sgwc | ||
| sgwu | ||
| smf | ||
| udm | ||
| udr | ||
| upf | ||
| main.c | ||
| meson.build | ||