aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHolger Hans Peter Freyther <zecke@selfish.org>2010-01-06 07:52:55 +0100
committerHolger Hans Peter Freyther <zecke@selfish.org>2010-01-27 06:09:36 +0100
commit8d123ea3c02d77c9c82beba79b5d0fb855faefe7 (patch)
treeb5653e3b1544c9cddd439553cff9464f0768fd15
parent88ca894df7dd0bec04c8406ea7efe53d54cc3fc4 (diff)
[system_information] Initialize the buffer before moving it
In the case of ipaccess we are doing a ++output but then still try to write 23 bytes into it and on my system this is leading to a stack corruption.
-rw-r--r--openbsc/src/system_information.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/openbsc/src/system_information.c b/openbsc/src/system_information.c
index df4f1a0c8..7625da637 100644
--- a/openbsc/src/system_information.c
+++ b/openbsc/src/system_information.c
@@ -319,6 +319,8 @@ static int generate_si5(u_int8_t *output, struct gsm_bts *bts)
struct gsm48_system_information_type_5 *si5;
int rc, l2_plen = 18;
+ memset(output, GSM_MACBLOCK_PADDING, GSM_MACBLOCK_LEN);
+
/* ip.access nanoBTS needs l2_plen!! */
if (is_ipaccess_bts(bts)) {
*output++ = (l2_plen << 2) | 1;
@@ -326,7 +328,6 @@ static int generate_si5(u_int8_t *output, struct gsm_bts *bts)
}
si5 = (struct gsm48_system_information_type_5 *) output;
- memset(si5, GSM_MACBLOCK_PADDING, GSM_MACBLOCK_LEN);
/* l2 pseudo length, not part of msg: 18 */
si5->rr_protocol_discriminator = GSM48_PDISC_RR;
@@ -345,6 +346,8 @@ static int generate_si6(u_int8_t *output, struct gsm_bts *bts)
struct gsm48_system_information_type_6 *si6;
int l2_plen = 11;
+ memset(output, GSM_MACBLOCK_PADDING, GSM_MACBLOCK_LEN);
+
/* ip.access nanoBTS needs l2_plen!! */
if (is_ipaccess_bts(bts)) {
*output++ = (l2_plen << 2) | 1;
@@ -352,7 +355,6 @@ static int generate_si6(u_int8_t *output, struct gsm_bts *bts)
}
si6 = (struct gsm48_system_information_type_6 *) output;
- memset(si6, GSM_MACBLOCK_PADDING, GSM_MACBLOCK_LEN);
/* l2 pseudo length, not part of msg: 11 */
si6->rr_protocol_discriminator = GSM48_PDISC_RR;