commit 7b59bab794f1ba86e2dd47705c5800fd4a4f91eb
author Daniel Willmann <dwillmann@sysmocom.de> Fri Jul 07 11:17:59 2023 +0200
committer laforge <laforge@osmocom.org> Tue Jul 18 06:30:28 2023 +0000
tree 6b4a430924220498da9244a71222220eb02e55a3
parent a18f1d7be4f6ddd5e4247c50c6ded42582dd8e41

osmo_io: Document expectation that segmentation_cb() can modify msgb

This is used for parsing e.g. the ipa header and setting msg->cb.
Guard against segmentation_cb changing msg->data in
iofd_handle_segmentation().

Change-Id: Idd2115baae98a7818aabb26232d4423d2d48fb5c

src/core/osmo_io.c

diff --git a/src/core/osmo_io.c b/src/core/osmo_io.c
index fdb9e32..8217316 100644
--- a/src/core/osmo_io.c
+++ b/src/core/osmo_io.c
@@ -226,6 +226,9 @@
 	int extra_len, received_len;
 	struct msgb *msg_pending;
 
+	/* Save the start of message before segmentation_cb (which could change it) */
+	uint8_t *data = msg->data;
+
 	received_len = msgb_length(msg);
 
 	if (!iofd->io_ops.segmentation_cb) {
@@ -258,12 +261,14 @@
 	/* msgb contains more than one segment */
 	/* Copy the trailing data over */
 	msg_pending = iofd_msgb_alloc(iofd);
-	memcpy(msgb_data(msg_pending), msgb_data(msg) + expected_len, extra_len);
+	memcpy(msgb_data(msg_pending), data + expected_len, extra_len);
 	msgb_put(msg_pending, extra_len);
 	*pending_out = msg_pending;
 
-	/* Trim the original msgb to size */
-	msgb_trim(msg, expected_len);
+	/* Trim the original msgb to size. Don't use msgb_trim because we need to reference
+	 * msg->data from before it might have been modified by the segmentation_cb(). */
+	msg->len = expected_len;
+	msg->tail = data + expected_len;
 	return IOFD_SEG_ACT_HANDLE_MORE;
 
 defer: