Stack corruption from set_system_infos
zecke at selfish.org
Thu Dec 31 06:12:31 CET 2009
I have a stack corruption due the above method and here is my analysis of the
set_system_infos is having a u_int8_t array with 23 bytes on the stack and is
asking to generate system infos into this array...
Now what happens is:
1.) some system information types structs are already bigger
than the 23 bytes...
2.) this does not take the rest octets into account..
I would like to fix it like this:
1.) Turn bitvec_spare_padding to return void
2.) In the rest_octets_siX method return the bit_vec.data_len
3.) Change the generate_siX to return the sizeof the struct
+ return value of the rest_octets_siX instead of the fixed
4.) always use this rc value instead of the size of the buffer...
(due to 1. of the above we set truncated values as well)
do you have a better idea? would you just increase the buffer size?
More information about the OpenBSC