[PATCH] osmo-bts[master]: octphy: fix segfault

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

dexter gerrit-no-reply at lists.osmocom.org
Fri Jun 9 14:10:05 UTC 2017 

Review at  https://gerrit.osmocom.org/2865

octphy: fix segfault

The priv pointer of the callback function app_info_compl_cb() is
set to null by the pointer. It should be set to pinst instead.
Besides of that there is a memory violation while accessing
the local variable ver_hdr using osmo_strlcpy(). Both is fixed
with this commit.

Change-Id: I558d78ef29e9a4d8f45f4142611f11289d3ed806
---
M src/osmo-bts-octphy/l1_oml.c
1 file changed, 6 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/65/2865/1

diff --git a/src/osmo-bts-octphy/l1_oml.c b/src/osmo-bts-octphy/l1_oml.c
index ccef231..03ff547 100644
--- a/src/osmo-bts-octphy/l1_oml.c
+++ b/src/osmo-bts-octphy/l1_oml.c
@@ -1151,9 +1151,9 @@
 	tOCTVC1_MAIN_MSG_APPLICATION_INFO_RSP *air =
 		(tOCTVC1_MAIN_MSG_APPLICATION_INFO_RSP *) resp->l2h;
 
-	sprintf(ver_hdr, "%02i.%02i.%02i-B%i", cOCTVC1_MAIN_VERSION_MAJOR,
-		cOCTVC1_MAIN_VERSION_MINOR, cOCTVC1_MAIN_VERSION_MAINTENANCE,
-		cOCTVC1_MAIN_VERSION_BUILD);
+	snprintf(ver_hdr, sizeof(ver_hdr), "%02i.%02i.%02i-B%i",
+		cOCTVC1_MAIN_VERSION_MAJOR, cOCTVC1_MAIN_VERSION_MINOR,
+		cOCTVC1_MAIN_VERSION_MAINTENANCE, cOCTVC1_MAIN_VERSION_BUILD);
 
 	mOCTVC1_MAIN_MSG_APPLICATION_INFO_RSP_SWAP(air);
 
@@ -1171,7 +1171,8 @@
 	talloc_replace(fl1h->info.app.name, fl1h, air->szName);
 	talloc_replace(fl1h->info.app.description, fl1h, air->szDescription);
 	talloc_replace(fl1h->info.app.version, fl1h, air->szVersion);
-	osmo_strlcpy(pinst->version, ver_hdr, sizeof(pinst->version));
+	OSMO_ASSERT(strlen(ver_hdr) < sizeof(pinst->version));
+	osmo_strlcpy(pinst->version, ver_hdr, strlen(ver_hdr));
 
 	/* in a completion call-back, we take msgb ownership and must
 	 * release it before returning */
@@ -1196,7 +1197,7 @@
 
 	LOGP(DL1C, LOGL_INFO, "Tx APP-INFO.req\n");
 
-	return l1if_req_compl(fl1h, msg, app_info_compl_cb, 0);
+	return l1if_req_compl(fl1h, msg, app_info_compl_cb, pinst);
 }
 
 static int trx_close_cb(struct octphy_hdl *fl1, struct msgb *resp, void *data)

-- 
To view, visit https://gerrit.osmocom.org/2865
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I558d78ef29e9a4d8f45f4142611f11289d3ed806
Gerrit-PatchSet: 1
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Owner: dexter <pmaier at sysmocom.de>

More information about the gerrit-log mailing list