<p>Vadim Yanitskiy has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/13707">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">common/oml.c: fix total length calculation in cleanup_attr_msg()<br><br>Both callers of cleanup_attr_msg(), i.e. handle_attrs_trx() and<br>handle_attrs_bts(), always pass out_offset >= 1, so the length<br>of the unsupported attributes counter is already accounted.<br><br>Otherwise, both callers would copy an additional garbage byte<br>from uninitialized memory. Discovered using Valgrind:<br><br>DOML DEBUG oml.c:539 OC=BTS(01) INST=(ff,ff,ff) Rx GET ATTR<br>DOML INFO oml.c:265 BTS Tx Get Attribute Response<br>==25467== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)<br>==25467== at 0x623E0BD: send (send.c:27)<br>==25467== by 0x5685846: __handle_ts1_write (ipaccess.c:358)<br>==25467== by 0x5683F8B: ipa_client_write (ipa.c:79)<br>==25467== by 0x5683F8B: ipa_client_fd_cb (ipa.c:140)<br>==25467== by 0x5F1DC23: osmo_fd_disp_fds (select.c:223)<br>==25467== by 0x5F1DC23: osmo_select_main (select.c:263)<br>==25467== by 0x42980B: bts_main (main.c:354)<br>==25467== by 0x6160F44: (below main) (libc-start.c:287)<br>==25467== Address 0x7d83895 is 23,669 bytes inside a block of size 102,528 alloc'd<br>==25467== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)<br>==25467== by 0x589A6B4: talloc_pool (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.1.5)<br>==25467== by 0x5F1E28B: msgb_talloc_ctx_init (msgb.c:316)<br>==25467== by 0x4293D0: bts_main (main.c:234)<br>==25467== by 0x6160F44: (below main) (libc-start.c:287)<br>==25467== Uninitialised value was created by a stack allocation<br>==25467== at 0x415FE5: oml_tx_attr_resp (oml.c:259)<br>==25467== by 0x415FE5: oml_rx_get_attr (oml.c:561)<br>==25467==<br><br>Change-Id: Ic7c2c4e54e9f99b60aaf70604044933978be945c<br>Related: OS#3938<br>---<br>M src/common/oml.c<br>1 file changed, 1 insertion(+), 1 deletion(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/07/13707/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/common/oml.c b/src/common/oml.c</span><br><span>index 6bf418f..ba7a06a 100644</span><br><span>--- a/src/common/oml.c</span><br><span>+++ b/src/common/oml.c</span><br><span>@@ -188,7 +188,7 @@</span><br><span> msgb_free(msg);</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- return len + out_offset + 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ return len + out_offset;</span><br><span> }</span><br><span> </span><br><span> static inline int handle_attrs_trx(uint8_t *out, const struct gsm_bts_trx *trx, const uint8_t *attr, uint16_t attr_len)</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/13707">change 13707</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/13707"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-bts </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: Ic7c2c4e54e9f99b60aaf70604044933978be945c </div>
<div style="display:none"> Gerrit-Change-Number: 13707 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Vadim Yanitskiy <axilirator@gmail.com> </div>