Stack corruption from set_system_infos

Holger Freyther zecke at selfish.org
Thu Dec 31 06:12:31 CET 2009


Hi Harald,

I have a stack corruption due the above method and here is my analysis of the 
problem...

set_system_infos is having a u_int8_t array with 23 bytes on the stack and is 
asking to generate system infos into this array...

Now what happens is:
	1.) some system information types structs are already bigger
             than the 23 bytes...
	2.) this does not take the rest octets into account..


I would like to fix it like this:
	1.) Turn bitvec_spare_padding to return void
	2.) In the rest_octets_siX method return the bit_vec.data_len
	3.) Change the generate_siX to return the sizeof the struct
            + return value of the rest_octets_siX instead of the fixed
             MACBLOCK_LEN (23)
        4.) always use this rc value instead of the size of the buffer...
            (due to 1. of the above we set truncated values as well) 


do you have a better idea? would you just increase the buffer size?

z.







More information about the OpenBSC mailing list