From 8d123ea3c02d77c9c82beba79b5d0fb855faefe7 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Wed, 6 Jan 2010 07:52:55 +0100 Subject: [system_information] Initialize the buffer before moving it In the case of ipaccess we are doing a ++output but then still try to write 23 bytes into it and on my system this is leading to a stack corruption. --- openbsc/src/system_information.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/openbsc/src/system_information.c b/openbsc/src/system_information.c index df4f1a0c8..7625da637 100644 --- a/openbsc/src/system_information.c +++ b/openbsc/src/system_information.c @@ -319,6 +319,8 @@ static int generate_si5(u_int8_t *output, struct gsm_bts *bts) struct gsm48_system_information_type_5 *si5; int rc, l2_plen = 18; + memset(output, GSM_MACBLOCK_PADDING, GSM_MACBLOCK_LEN); + /* ip.access nanoBTS needs l2_plen!! */ if (is_ipaccess_bts(bts)) { *output++ = (l2_plen << 2) | 1; @@ -326,7 +328,6 @@ static int generate_si5(u_int8_t *output, struct gsm_bts *bts) } si5 = (struct gsm48_system_information_type_5 *) output; - memset(si5, GSM_MACBLOCK_PADDING, GSM_MACBLOCK_LEN); /* l2 pseudo length, not part of msg: 18 */ si5->rr_protocol_discriminator = GSM48_PDISC_RR; @@ -345,6 +346,8 @@ static int generate_si6(u_int8_t *output, struct gsm_bts *bts) struct gsm48_system_information_type_6 *si6; int l2_plen = 11; + memset(output, GSM_MACBLOCK_PADDING, GSM_MACBLOCK_LEN); + /* ip.access nanoBTS needs l2_plen!! */ if (is_ipaccess_bts(bts)) { *output++ = (l2_plen << 2) | 1; @@ -352,7 +355,6 @@ static int generate_si6(u_int8_t *output, struct gsm_bts *bts) } si6 = (struct gsm48_system_information_type_6 *) output; - memset(si6, GSM_MACBLOCK_PADDING, GSM_MACBLOCK_LEN); /* l2 pseudo length, not part of msg: 11 */ si6->rr_protocol_discriminator = GSM48_PDISC_RR; -- cgit v1.2.3