diff options
author | Jacob Erlbeck <jerlbeck@sysmocom.de> | 2015-12-16 16:43:24 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2015-12-17 08:33:56 +0100 |
commit | 6fb6c12258ab62d60767d51f990a10802d4c93f0 (patch) | |
tree | 6e84eee8f5d6b41569fc5b75baa7d20e10703e49 | |
parent | bdaa6e0bf122dfb9c5239e8f0f84ae4e146ce107 (diff) |
gbproxy: Fix stored msgbs in gbproxy_flush_stored_messages
Currently the last message received is patched with the meta
information of each stored message. This can lead to invalid memory
accesses.
This commit replaces msg by stored_msg in the call to
gbproxy_patch_bssgp.
Note that the fix has not been validated by unit tests yet.
Addresses:
Program received signal SIGSEGV, Segmentation fault.
#0 memmove () at ../sysdeps/i386/i686/memmove.S:68
#1 0x08052ee9 in gprs_msgb_resize_area at gprs_utils.c:99
#2 0x0804f4de in gbproxy_patch_apn_ie at gb_proxy_patch.c:108
#3 0x0804f7cd in gbproxy_patch_llc at gb_proxy_patch.c:253
#4 0x0804f9cb in gbproxy_patch_bssgp at gb_proxy_patch.c:348
#5 0x0804abf5 in gbproxy_flush_stored_messages at gb_proxy.c:347
Ticket: OW#1550
Sponsored-by: On-Waves ehf
-rw-r--r-- | openbsc/src/gprs/gb_proxy.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/openbsc/src/gprs/gb_proxy.c b/openbsc/src/gprs/gb_proxy.c index 6cad651a5..ff7d4168b 100644 --- a/openbsc/src/gprs/gb_proxy.c +++ b/openbsc/src/gprs/gb_proxy.c @@ -344,7 +344,7 @@ static void gbproxy_flush_stored_messages(struct gbproxy_peer *peer, gprs_gb_parse_bssgp(msgb_bssgph(stored_msg), msgb_bssgp_len(stored_msg), &tmp_parse_ctx); - gbproxy_patch_bssgp(msg, msgb_bssgph(stored_msg), + gbproxy_patch_bssgp(stored_msg, msgb_bssgph(stored_msg), msgb_bssgp_len(stored_msg), peer, link_info, &len_change, &tmp_parse_ctx); |