This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Max gerrit-no-reply at lists.osmocom.org
Review at https://gerrit.osmocom.org/3878
Check return value to prevent crash
Previously result of readv() was used unconditionally so when it failed
and returned negative value it was treated like very large positive
which lead to memory corruption.
Change-Id: I956c8d551f45c9dd43b5e9de11dfe20dd8783647
Related: SYS#3865
---
M src/osmo-bts-litecell15/l1_transp_hw.c
M src/osmo-bts-sysmo/l1_transp_hw.c
2 files changed, 12 insertions(+), 2 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/78/3878/1
diff --git a/src/osmo-bts-litecell15/l1_transp_hw.c b/src/osmo-bts-litecell15/l1_transp_hw.c
index 6381864..f349dd9 100644
--- a/src/osmo-bts-litecell15/l1_transp_hw.c
+++ b/src/osmo-bts-litecell15/l1_transp_hw.c
@@ -204,8 +204,13 @@
iov[i].iov_len = msgb_tailroom(msg[i]);
}
-
rc = readv(ofd->fd, iov, ARRAY_SIZE(iov));
+ if (rc < 0) {
+ for (i = count; i < ARRAY_SIZE(iov); ++i)
+ msgb_free(msg[i]);
+ return 0;
+ }
+
count = rc / prim_size;
for (i = 0; i < count; ++i) {
diff --git a/src/osmo-bts-sysmo/l1_transp_hw.c b/src/osmo-bts-sysmo/l1_transp_hw.c
index da8ac3f..7903c94 100644
--- a/src/osmo-bts-sysmo/l1_transp_hw.c
+++ b/src/osmo-bts-sysmo/l1_transp_hw.c
@@ -215,8 +215,13 @@
iov[i].iov_len = msgb_tailroom(msg[i]);
}
-
rc = readv(ofd->fd, iov, ARRAY_SIZE(iov));
+ if (rc < 0) {
+ for (i = count; i < ARRAY_SIZE(iov); ++i)
+ msgb_free(msg[i]);
+ return 0;
+ }
+
count = rc / prim_size;
for (i = 0; i < count; ++i) {
--
To view, visit https://gerrit.osmocom.org/3878
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I956c8d551f45c9dd43b5e9de11dfe20dd8783647
Gerrit-PatchSet: 1
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Owner: Max <msuraev at sysmocom.de>