From 2fbc445d32aa7749166396a9c055a199f90a1b01 Mon Sep 17 00:00:00 2001
From: Sukchan Lee <acetcom@gmail.com>
Date: Wed, 6 Sep 2023 07:13:14 +0900
Subject: [PATCH] [PFCP] Fixed Possible heap buffer overflow (#2585)

After examining the call stack and reading the source code, I found that
in /lib/core/ogs-pool.h line 152: (pool)->array[i] = i+1;
then in lib/pfcp/context.c line 78: pdr_random_to_index[ogs_pfcp_pdr_teid_pool.array[i]] = i;
ogs_pfcp_pdr_teid_pool.array[i] may exceed the size of pdr_random_to_index, leading to a heap-buffer-overflow.
---
 lib/pfcp/context.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/pfcp/context.c b/lib/pfcp/context.c
index 23c3531e0..1ac9be65e 100644
--- a/lib/pfcp/context.c
+++ b/lib/pfcp/context.c
@@ -72,7 +72,7 @@ void ogs_pfcp_context_init(void)
     ogs_pool_random_id_generate(&ogs_pfcp_pdr_teid_pool);
 
     pdr_random_to_index = ogs_calloc(
-            sizeof(ogs_pool_id_t), ogs_pfcp_pdr_pool.size);
+            sizeof(ogs_pool_id_t), ogs_pfcp_pdr_pool.size+1);
     ogs_assert(pdr_random_to_index);
     for (i = 0; i < ogs_pfcp_pdr_pool.size; i++)
         pdr_random_to_index[ogs_pfcp_pdr_teid_pool.array[i]] = i;