forked from acouzens/open5gs
Daniel Willmann
ef60207c1e
The current code uses the cc request number as an index to the transaction array (xact/xact_data). Since cc request number is a 32 bit integer this is unfeasible for longer sessions and if more than a handful of messages are exchanged per session. The array size was already increased in #2038 which simply delays the issue. Furthermore, the current code asserts that cc_request_number is <= MAX_CC_REQUEST_NUMBER which leads to an out-of-bounds write if cc_request_number == MAX_CC_REQUEST_NUMBER. Instead use a smaller array and index into it using cc_request_number % array size. More than 2 requests should never be in flight at any one time (initial or update request together with a termination request) so an array size of 4 should be fine. |
||
---|---|---|
.. | ||
amf | ||
ausf | ||
bsf | ||
hss | ||
mme | ||
nrf | ||
nssf | ||
pcf | ||
pcrf | ||
scp | ||
sgwc | ||
sgwu | ||
smf | ||
udm | ||
udr | ||
upf | ||
main.c | ||
meson.build |