[PATCH] osmo-bts[master]: octphy: fix segfault

Fri, 09 Jun 2017 07:12:07 -0700 

Review at  https://gerrit.osmocom.org/2865

octphy: fix segfault

The priv pointer of the callback function app_info_compl_cb() is
set to null by the pointer. It should be set to pinst instead.
Besides of that there is a memory violation while accessing
the local variable ver_hdr using osmo_strlcpy(). Both is fixed
with this commit.

Change-Id: I558d78ef29e9a4d8f45f4142611f11289d3ed806
---
M src/osmo-bts-octphy/l1_oml.c
1 file changed, 6 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/65/2865/1

diff --git a/src/osmo-bts-octphy/l1_oml.c b/src/osmo-bts-octphy/l1_oml.c
index ccef231..03ff547 100644
--- a/src/osmo-bts-octphy/l1_oml.c
+++ b/src/osmo-bts-octphy/l1_oml.c
@@ -1151,9 +1151,9 @@
        tOCTVC1_MAIN_MSG_APPLICATION_INFO_RSP *air =
                (tOCTVC1_MAIN_MSG_APPLICATION_INFO_RSP *) resp->l2h;
 
-       sprintf(ver_hdr, "%02i.%02i.%02i-B%i", cOCTVC1_MAIN_VERSION_MAJOR,
-               cOCTVC1_MAIN_VERSION_MINOR, cOCTVC1_MAIN_VERSION_MAINTENANCE,
-               cOCTVC1_MAIN_VERSION_BUILD);
+       snprintf(ver_hdr, sizeof(ver_hdr), "%02i.%02i.%02i-B%i",
+               cOCTVC1_MAIN_VERSION_MAJOR, cOCTVC1_MAIN_VERSION_MINOR,
+               cOCTVC1_MAIN_VERSION_MAINTENANCE, cOCTVC1_MAIN_VERSION_BUILD);
 
        mOCTVC1_MAIN_MSG_APPLICATION_INFO_RSP_SWAP(air);
 
@@ -1171,7 +1171,8 @@
        talloc_replace(fl1h->info.app.name, fl1h, air->szName);
        talloc_replace(fl1h->info.app.description, fl1h, air->szDescription);
        talloc_replace(fl1h->info.app.version, fl1h, air->szVersion);
-       osmo_strlcpy(pinst->version, ver_hdr, sizeof(pinst->version));
+       OSMO_ASSERT(strlen(ver_hdr) < sizeof(pinst->version));
+       osmo_strlcpy(pinst->version, ver_hdr, strlen(ver_hdr));
 
        /* in a completion call-back, we take msgb ownership and must
         * release it before returning */
@@ -1196,7 +1197,7 @@
 
        LOGP(DL1C, LOGL_INFO, "Tx APP-INFO.req\n");
 
-       return l1if_req_compl(fl1h, msg, app_info_compl_cb, 0);
+       return l1if_req_compl(fl1h, msg, app_info_compl_cb, pinst);
 }
 
 static int trx_close_cb(struct octphy_hdl *fl1, struct msgb *resp, void *data)

-- 
To view, visit https://gerrit.osmocom.org/2865
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I558d78ef29e9a4d8f45f4142611f11289d3ed806
Gerrit-PatchSet: 1
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Owner: dexter <[email protected]>

Reply via email to