aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@gnumonks.org>2013-12-13 15:27:21 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2013-12-14 22:01:25 +0100
commitc733ae5b6e7834bec9882d787da7f6c52ff0f4a3 (patch)
treeb6aeeede61212bfaf170245eea277158acc8e9c4
parent1f9eb78b4f4b465aa8fcd5fd32435a19a6bf108b (diff)
osmux: fix crash in osmux_snprintf when handling multi-batch messages
valgrind reports the following crash backtrace: !<001c> osmux.c:687 No room for OSMUX payload: only 49 bytes ==12800== ==12800== Process terminating with default action of signal 11 (SIGSEGV) ==12800== Access not within mapped region at address 0xDFA8E473 ==12800== at 0x4073FD2: osmux_snprintf (osmux.c:628) ==12800== by 0x80524F1: osmux_deliver (osmux.c:50) ==12800== by 0x407371C: osmux_xfrm_input_deliver (osmux.c:302) ==12800== by 0x4073792: osmux_batch_timer_expired (osmux.c:312) ==12800== by 0x405A4A0: osmo_timers_update (timer.c:243) ==12800== by 0x405A79A: osmo_select_main (select.c:133) ==12800== by 0x8049A53: main (mgcp_main.c:307) The problem is that osmux_snprintf() is not handling multi-batch messages (ie. messages that contain several osmux batches). More specifically, the offset to print the osmux batches was reset when parsing every osmux batch. The problem also manifested with wrong outputs. Reported by Mattias Lundstrom.
-rw-r--r--src/osmux.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/osmux.c b/src/osmux.c
index a2c123c..77a04bf 100644
--- a/src/osmux.c
+++ b/src/osmux.c
@@ -661,7 +661,7 @@ int osmux_snprintf(char *buf, size_t size, struct msgb *msg)
unsigned int offset = 0;
int msg_len = msg->len, len = size;
struct osmux_hdr *osmuxh;
- int this_len = 0;
+ int this_len, msg_off = 0;
while (msg_len > 0) {
if (msg_len < sizeof(struct osmux_hdr)) {
@@ -670,7 +670,7 @@ int osmux_snprintf(char *buf, size_t size, struct msgb *msg)
msg_len);
return -1;
}
- osmuxh = (struct osmux_hdr *)((uint8_t *)msg->data + this_len);
+ osmuxh = (struct osmux_hdr *)((uint8_t *)msg->data + msg_off);
ret = osmux_snprintf_header(buf+offset, size, osmuxh);
if (ret < 0)
@@ -679,6 +679,7 @@ int osmux_snprintf(char *buf, size_t size, struct msgb *msg)
this_len = sizeof(struct osmux_hdr) +
osmux_get_payload_len(osmuxh);
+ msg_off += this_len;
if (msg_len < this_len) {
LOGP(DLMIB, LOGL_ERROR,