aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Willmann <daniel@totalueberwachung.de>2014-12-30 12:10:25 +0100
committerDaniel Willmann <daniel@totalueberwachung.de>2014-12-30 12:14:25 +0100
commit695675f53991a33681ab1fa6662f318170f72992 (patch)
tree9dc86f94846e02e01f311687ede7ac8177ecf011
parent142d12d829d4207e2fe7dee34b8d82dd89015615 (diff)
libbsc/system_information.c: Fix off-by-one error in si4 generation with CBCH enabled
==25637==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff3f587c43 at pc 0x5bf591 bp 0x7fff3f587630 sp 0x7fff3f587628 READ of size 4 at 0x7fff3f587c43 thread T0 #0 0x5bf590 in tv_fixed_put /home/alphaone/local/osmo-asan/include/osmocom/gsm/tlv.h:237 #1 0x5b7e14 in generate_si4 /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/system_information.c:607 #2 0x5b488b in gsm_generate_si /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/system_information.c:882 #3 0x4cb247 in gsm_bts_trx_set_system_infos /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_init.c:166 #4 0x4d3c26 in bootstrap_rsl /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_init.c:272 #5 0x4ced44 in inp_sig_cb /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bsc_init.c:316 #6 0x7f4f15b563d7 in osmo_signal_dispatch /home/alphaone/scm/osmo/libosmocore/src/signal.c:105 #7 0x7f4f156c0e3f in e1inp_int_snd_event (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x17e3f) #8 0x7f4f156be7e5 in e1inp_event (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x157e5) #9 0x583a6a in ipaccess_sign_link /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/bts_ipaccess_nanobts.c:675 #10 0x7f4f156e63b0 in handle_ts1_read (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x3d3b0) #11 0x7f4f156e4f4e in ipaccess_fd_cb (/home/alphaone/local/osmo-asan/lib/libosmoabis.so.4+0x3bf4e) #12 0x7f4f15b540b6 in osmo_select_main /home/alphaone/scm/osmo/libosmocore/src/select.c:160 #13 0x43c656 in main /home/alphaone/scm/osmo/openbsc/openbsc/src/osmo-nitb/bsc_hack.c:355 #14 0x7f4f1462e4bc (/lib64/libc.so.6+0x224bc) #15 0x43b6cc (/home/alphaone/local/osmo-asan/bin/osmo-nitb+0x43b6cc) Address 0x7fff3f587c43 is located in stack of thread T0 at offset 483 in frame #0 0x5b712f in generate_si4 /home/alphaone/scm/osmo/openbsc/openbsc/src/libbsc/system_information.c:580 This frame has 8 object(s): [32, 40) '' [96, 104) '' [160, 164) 'rc' [224, 232) 'si4' [288, 296) 'cbch_lchan' [352, 360) 'restoct' [416, 420) 'l2_plen' [480, 483) 'cd' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/alphaone/local/osmo-asan/include/osmocom/gsm/tlv.h:237 tv_fixed_put
-rw-r--r--openbsc/src/libbsc/system_information.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/openbsc/src/libbsc/system_information.c b/openbsc/src/libbsc/system_information.c
index ea9e335ea..8a6d02671 100644
--- a/openbsc/src/libbsc/system_information.c
+++ b/openbsc/src/libbsc/system_information.c
@@ -583,10 +583,10 @@ static int generate_si4(uint8_t *output, struct gsm_bts *bts)
if (cbch_lchan) {
struct gsm48_chan_desc cd;
gsm48_lchan2chan_desc(&cd, cbch_lchan);
- tv_fixed_put(si4->data, GSM48_IE_CBCH_CHAN_DESC, 4,
+ tv_fixed_put(si4->data, GSM48_IE_CBCH_CHAN_DESC, 3,
(uint8_t *) &cd);
- l2_plen += 4 + 1;
- restoct += 4 + 1;
+ l2_plen += 3 + 1;
+ restoct += 3 + 1;
/* we don't use hopping and thus don't need a CBCH MA */
}