[PATCH] osmo-bts[master]: octphy: l1_oml: check returncode of trx_by_l1h()

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

dexter gerrit-no-reply at lists.osmocom.org
Mon Dec 18 09:38:43 UTC 2017 

Hello Jenkins Builder,

I'd like you to reexamine a change.  Please visit

    https://gerrit.osmocom.org/5402

to look at the new patch set (#2).

octphy: l1_oml: check returncode of trx_by_l1h()

The function trx_by_l1h() is used to fetch the pointer to a an
osmo_bts_trx from a list. The ID that is used to reference the
transceiver comes from the incoming message. If the firmware
sends odd identifiers (firmware bugs, damaged packets) the
transceiver can not be found in the list and a nullpointer is
returned, which then leads into a nullpointer derefernece
problem.

Check the returncode, and depending on the situation either
return with -EINVAL or exit osmo-bts immediately.

Change-Id: I04ef3b4896e1322c2a6d29ea86a88994c7748bf7
---
M src/osmo-bts-octphy/l1_oml.c
1 file changed, 39 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/02/5402/2

diff --git a/src/osmo-bts-octphy/l1_oml.c b/src/osmo-bts-octphy/l1_oml.c
index a1c384a..ec1cc10 100644
--- a/src/osmo-bts-octphy/l1_oml.c
+++ b/src/osmo-bts-octphy/l1_oml.c
@@ -377,6 +377,11 @@
 
 	mOCTVC1_GSM_MSG_TRX_ACTIVATE_LOGICAL_CHANNEL_RSP_SWAP(ar);
 	trx = trx_by_l1h(fl1, ar->TrxId.byTrxId);
+	if (!trx) {
+		LOGP(DL1C, LOGL_ERROR, "response with unexpected physical transceiver-id (ar->TrxId.byTrxId=%u) while lchan act\n",
+		     ar->TrxId.byTrxId);
+		return -EINVAL;
+	}
 
 	lchan = get_lchan_by_lchid(trx, &ar->LchId);
 	sapi = ar->LchId.bySAPI;
@@ -488,6 +493,12 @@
 	}
 
 	trx = trx_by_l1h(fl1, pcr->TrxId.byTrxId);
+	if (!trx) {
+		LOGP(DL1C, LOGL_ERROR, "response with unexpected physical transceiver-id (pcr->TrxId.byTrxId=%u) while ciphering\n",
+		     pcr->TrxId.byTrxId);
+		return -EINVAL;
+	}
+
 	OSMO_ASSERT(pcr->TrxId.byTrxId == trx->nr);
 	ts = &trx->ts[pcr->PchId.byTimeslotNb];
 	/* for some strange reason the response does not tell which
@@ -687,6 +698,11 @@
 
 	mOCTVC1_GSM_MSG_TRX_DEACTIVATE_LOGICAL_CHANNEL_RSP_SWAP(ldr);
 	trx = trx_by_l1h(fl1, ldr->TrxId.byTrxId);
+	if (!trx) {
+		LOGP(DL1C, LOGL_ERROR, "response with unexpected physical transceiver-id (ldr->TrxId.byTrxId=%u) while lchan deact\n",
+		     ldr->TrxId.byTrxId);
+		return -EINVAL;
+	}
 
 	lchan = get_lchan_by_lchid(trx, &ldr->LchId);
 
@@ -1266,6 +1282,11 @@
 
 	mOCTVC1_GSM_MSG_TRX_OPEN_RSP_SWAP(or);
 	trx = trx_by_l1h(fl1h, or->TrxId.byTrxId);
+	if (!trx) {
+		LOGP(DL1C, LOGL_ERROR, "response with unexpected physical transceiver-id (or->TrxId.byTrxId=%u) while opening trx -- abort\n",
+		     or->TrxId.byTrxId);
+		exit(1);
+	}
 
 	LOGP(DL1C, LOGL_INFO, "TRX-OPEN.resp(trx=%u) = %s\n",
 		trx->nr, octvc1_rc2string(or->Header.ulReturnCode));
@@ -1394,6 +1415,12 @@
 
 	mOCTVC1_GSM_MSG_TRX_ACTIVATE_PHYSICAL_CHANNEL_RSP_SWAP(ar);
 	trx = trx_by_l1h(fl1, ar->TrxId.byTrxId);
+	if (!trx) {
+		LOGP(DL1C, LOGL_ERROR, "response with unexpected physical transceiver-id (ar->TrxId.byTrxId=%u) while activating physical channel -- abort\n",
+		     ar->TrxId.byTrxId);
+		exit(1);
+	}
+
 	ts_nr = ar->PchId.byTimeslotNb;
 	OSMO_ASSERT(ts_nr <= ARRAY_SIZE(trx->ts));
 
@@ -1472,6 +1499,12 @@
 	struct gsm_bts_trx_ts *ts;
 
 	trx = trx_by_l1h(fl1, ar->TrxId.byTrxId);
+	if (!trx) {
+		LOGP(DL1C, LOGL_ERROR, "response with unexpected physical transceiver-id (ar->TrxId.byTrxId=%u) while disconnecting ts\n",
+		     ar->TrxId.byTrxId);
+		return -EINVAL;
+	}
+
 	ts_nr = ar->PchId.byTimeslotNb;
 	ts = &trx->ts[ts_nr];
 
@@ -1495,6 +1528,12 @@
 
 	mOCTVC1_GSM_MSG_TRX_ACTIVATE_PHYSICAL_CHANNEL_RSP_SWAP(ar);
 	trx = trx_by_l1h(fl1, ar->TrxId.byTrxId);
+	if (!trx) {
+		LOGP(DL1C, LOGL_ERROR, "response with unexpected physical transceiver-id (ar->TrxId.byTrxId=%u) while connecting ts\n",
+		     ar->TrxId.byTrxId);
+		return -EINVAL;
+	}
+
 	ts_nr = ar->PchId.byTimeslotNb;
 	OSMO_ASSERT(ts_nr <= ARRAY_SIZE(trx->ts));
 

-- 
To view, visit https://gerrit.osmocom.org/5402
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I04ef3b4896e1322c2a6d29ea86a88994c7748bf7
Gerrit-PatchSet: 2
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Owner: dexter <pmaier at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Max <msuraev at sysmocom.de>

More information about the gerrit-log mailing list