From 2ca894df018cf811c2eaac1964fd65c4bec28c62 Mon Sep 17 00:00:00 2001 From: Andre Puschmann Date: Sat, 2 Jan 2021 17:10:12 +0100 Subject: [PATCH] pdu: fortify RAR packing detected with ASAN trying to write negative number of padding bytes. The patch checks the calculated length and returns with an error if the length is negative. ================================================================= ==5759==AddressSanitizer: while reporting a bug found another one. Ignoring. m==5759==ERROR: AddressSanitizer: negative-size-param: (size=-6) --- lib/src/mac/pdu.cc | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/lib/src/mac/pdu.cc b/lib/src/mac/pdu.cc index 8ff97ea3f..43d3fc3f5 100644 --- a/lib/src/mac/pdu.cc +++ b/lib/src/mac/pdu.cc @@ -1068,7 +1068,18 @@ bool rar_pdu::write_packet(uint8_t* ptr) } // Set padding to zeros (if any) - bzero(ptr, (rem_len - (ptr - init_ptr)) * sizeof(uint8_t)); + int32_t payload_len = ptr - init_ptr; + int32_t pad_len = rem_len - payload_len; + if (pad_len < 0) { + if (log_h) { + log_h->error("Error packing RAR PDU (payload_len=%d, rem_len=%d)\n", payload_len, rem_len); + } else { + srslte::console("Error packing RAR PDU (payload_len=%d, rem_len=%d)\n", payload_len, rem_len); + } + return false; + } else { + bzero(ptr, pad_len * sizeof(uint8_t)); + } return true; }