From 541a0450798ecaa46f3fb2013580ce25d520155b Mon Sep 17 00:00:00 2001 From: Andre Puschmann Date: Mon, 14 May 2018 22:21:52 +0200 Subject: [PATCH] revert 0ac31cf4af5834ccbdc90e9159a4e2c88f57330f - but protect memcpy to detect misalignment when reassembling SDU --- lib/src/upper/rlc_um.cc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/src/upper/rlc_um.cc b/lib/src/upper/rlc_um.cc index 5a018d40b..45240261c 100644 --- a/lib/src/upper/rlc_um.cc +++ b/lib/src/upper/rlc_um.cc @@ -552,9 +552,16 @@ void rlc_um::reassemble_rx_sdus() break; } + // Check available space in SDU + if ((uint32_t)len > rx_sdu->get_tailroom()) { + log->error("Dropping PDU %d due to buffer mis-alignment (current segment len %d B, received %d B)\n", vr_ur, rx_sdu->N_bytes, len); + rx_sdu->reset(); + goto clean_up_rx_window; + } + log->debug("Concatenating %d bytes in to current length %d. rx_window remaining bytes=%d, vr_ur_in_rx_sdu=%d, vr_ur=%d, rx_mod=%d, last_mod=%d\n", len, rx_sdu->N_bytes, rx_window[vr_ur].buf->N_bytes, vr_ur_in_rx_sdu, vr_ur, cfg.rx_mod, (vr_ur_in_rx_sdu+1)%cfg.rx_mod); - memmove(&rx_sdu->msg[rx_sdu->N_bytes], rx_window[vr_ur].buf->msg, len); + memcpy(&rx_sdu->msg[rx_sdu->N_bytes], rx_window[vr_ur].buf->msg, len); rx_sdu->N_bytes += len; rx_window[vr_ur].buf->msg += len; rx_window[vr_ur].buf->N_bytes -= len;