gbproxy: Fix stored msgbs in gbproxy_flush_stored_messages

Currently the last message received is patched with the meta information of each stored message. This can lead to invalid memory accesses. This commit replaces msg by stored_msg in the call to gbproxy_patch_bssgp. Note that the fix has not been validated by unit tests yet. Addresses: Program received signal SIGSEGV, Segmentation fault. #0 memmove () at ../sysdeps/i386/i686/memmove.S:68 #1 0x08052ee9 in gprs_msgb_resize_area at gprs_utils.c:99 #2 0x0804f4de in gbproxy_patch_apn_ie at gb_proxy_patch.c:108 #3 0x0804f7cd in gbproxy_patch_llc at gb_proxy_patch.c:253 #4 0x0804f9cb in gbproxy_patch_bssgp at gb_proxy_patch.c:348 #5 0x0804abf5 in gbproxy_flush_stored_messages at gb_proxy.c:347 Ticket: OW#1550 Sponsored-by: On-Waves ehf
2025-11-01 20:43:47 +00:00 · 2015-12-16 16:43:24 +01:00
parent bdaa6e0bf1
commit 6fb6c12258
1 changed files with 1 additions and 1 deletions
--- a/openbsc/src/gprs/gb_proxy.c
+++ b/openbsc/src/gprs/gb_proxy.c
@@ -344,7 +344,7 @@ static void gbproxy_flush_stored_messages(struct gbproxy_peer *peer,
 		gprs_gb_parse_bssgp(msgb_bssgph(stored_msg),
 				    msgb_bssgp_len(stored_msg),
 				    &tmp_parse_ctx);
-		gbproxy_patch_bssgp(msg, msgb_bssgph(stored_msg),
+		gbproxy_patch_bssgp(stored_msg, msgb_bssgph(stored_msg),
 				    msgb_bssgp_len(stored_msg),
 				    peer, link_info, &len_change,
 				    &tmp_parse_ctx);