Change in osmo-pcu[master]: Fix crash accessing NULL tbf->pdch[first_ts]

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

pespin gerrit-no-reply at lists.osmocom.org
Wed Sep 23 11:23:08 UTC 2020


pespin has submitted this change. ( https://gerrit.osmocom.org/c/osmo-pcu/+/20254 )

Change subject: Fix crash accessing NULL tbf->pdch[first_ts]
......................................................................

Fix crash accessing NULL tbf->pdch[first_ts]

Fixes consistent crash under some specific scenarios explained in
OS#4756.

The crash was caused due to a bug in channel allocator algorithm
incorrectly populating tbf->pdch[] array as a result of mismatching
first_ts and resulting pdch selected slot bitmask.

The issue happens because when allocating a UL TBF in allocator B, the
subset is always further forced into allocating one single TS. As a
result, on that branch several variables are updated, but first_ts was
not.

The field used to be updated in older versions, but a bug was introduced
during code refactoring in commit listed below (31 Jan 2018).

Fixes: 0cc7212cfdfd40e87b531ecf14e76356185f4036
Related: OS#4756
Change-Id: I79596803f7dab6f21b58bfe39c2af65d9c5b39d5
---
M src/gprs_rlcmac_ts_alloc.cpp
1 file changed, 1 insertion(+), 2 deletions(-)

Approvals:
  laforge: Looks good to me, approved
  fixeria: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/gprs_rlcmac_ts_alloc.cpp b/src/gprs_rlcmac_ts_alloc.cpp
index 836dab5..496d19b 100644
--- a/src/gprs_rlcmac_ts_alloc.cpp
+++ b/src/gprs_rlcmac_ts_alloc.cpp
@@ -896,8 +896,6 @@
 	if (rc < 0)
 		return -EINVAL;
 
-	first_ts = ffs(rc) - 1;
-
 	/* Step 3b: Derive the slot set for a given direction */
 	if (tbf->direction == GPRS_RLCMAC_DL_TBF) {
 		dl_slots = rc;
@@ -914,6 +912,7 @@
 		update_slot_counters(ul_slots, reserved_ul_slots, &slotcount, &avail_count);
 	}
 
+	first_ts = ffs(rc) - 1;
 	first_common_ts = ffs(dl_slots & ul_slots) - 1;
 
 	if (first_common_ts < 0) {

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-pcu/+/20254
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-pcu
Gerrit-Branch: master
Gerrit-Change-Id: I79596803f7dab6f21b58bfe39c2af65d9c5b39d5
Gerrit-Change-Number: 20254
Gerrit-PatchSet: 3
Gerrit-Owner: pespin <pespin at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200923/687ee3eb/attachment.htm>


More information about the gerrit-log mailing list