Stack corruption from set_system_infos

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

Holger Freyther zecke at selfish.org
Wed Jan 6 06:59:21 UTC 2010


On Thursday 31 December 2009 11:23:00 Harald Welte wrote:
> Hi Zecke,

> > Now what happens is:
> > 	1.) some system information types structs are already bigger
> >              than the 23 bytes...
> 
> why are they?  How can that be?  How can a SI message be larger than the
> physical limitation of the MAC-Block?  This sounds like the root cause
> of the problem to me.

This was bullshit...

Here is the root cause:

For SI5 and SI6 we have to deal with the BS11 of having left the length field 
out... What we are doing is:

char output[23];
if (is_nano_bts) {
    *output = len;
    ++output;
}

si6 = (struct si6*) output;
memset(si6, padding, 23);

And one thing I have found as well, but it seems more like I'm wrong. All 
data_len of the bitvector are one too big? Is that done on purpose?

Patch 0001 and 0003 are of cosmetic nature, 0002 and 0004 seem to fix the stack 
corruption my system is seeing.


regards
	holger





-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-system_information-Initialize-the-buffer-before-movi.patch
Type: text/x-patch
Size: 1943 bytes
Desc: not available
URL: <http://lists.osmocom.org/pipermail/openbsc/attachments/20100106/e0305f63/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-rest_octets-Change-data_len-to-the-sizes-of-the-spec.patch
Type: text/x-patch
Size: 1729 bytes
Desc: not available
URL: <http://lists.osmocom.org/pipermail/openbsc/attachments/20100106/e0305f63/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-system_information-Return-how-much-byte-were-written.patch
Type: text/x-patch
Size: 2796 bytes
Desc: not available
URL: <http://lists.osmocom.org/pipermail/openbsc/attachments/20100106/e0305f63/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-rest_octets-Return-bv.data_len-to-indicate-how-was-w.patch
Type: text/x-patch
Size: 1650 bytes
Desc: not available
URL: <http://lists.osmocom.org/pipermail/openbsc/attachments/20100106/e0305f63/attachment-0003.bin>


More information about the OpenBSC mailing list