<p>fixeria <strong>merged</strong> this change.</p><p><a href="https://gerrit.osmocom.org/c/osmo-bts/+/14876">View Change</a></p><div style="white-space:pre-wrap">Approvals:
laforge: Looks good to me, but someone else must approve
pespin: Looks good to me, approved
Jenkins Builder: Verified
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">osmo-bts-trx/scheduler: prevent uninitialized memory access<br><br>When sending an AMR BFI, we need to call osmo_amr_rtp_enc() with<br>AMR_BAD as the last parameter. This function returns the length<br>of encoded payload, which needs to be at least 2 octets long.<br><br>If osmo_amr_rtp_enc() returns a length value lower than 2 octets<br>(what should not happen in general), we should neither call<br>memset() on it, nor call _sched_compose_tch_ind().<br><br>Change-Id: I70ce98c5697b9ce6fac7ab57a5d70f3201db29d9<br>Fixes: CID#178648, CID#178637, CID#178651<br>---<br>M src/osmo-bts-trx/scheduler_trx.c<br>1 file changed, 18 insertions(+), 6 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/osmo-bts-trx/scheduler_trx.c b/src/osmo-bts-trx/scheduler_trx.c</span><br><span>index ef24119..1a60443 100644</span><br><span>--- a/src/osmo-bts-trx/scheduler_trx.c</span><br><span>+++ b/src/osmo-bts-trx/scheduler_trx.c</span><br><span>@@ -382,8 +382,12 @@</span><br><span> len = osmo_amr_rtp_enc(tch_data,</span><br><span> chan_state->codec[chan_state->dl_cmr],</span><br><span> chan_state->codec[chan_state->dl_ft], AMR_BAD);</span><br><span style="color: hsl(0, 100%, 40%);">- if (len < 2)</span><br><span style="color: hsl(0, 100%, 40%);">- break;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (len < 2) {</span><br><span style="color: hsl(120, 100%, 40%);">+ LOGL1S(DL1P, LOGL_ERROR, l1t, tn, chan, fn,</span><br><span style="color: hsl(120, 100%, 40%);">+ "Failed to encode AMR_BAD frame (rc=%d), "</span><br><span style="color: hsl(120, 100%, 40%);">+ "not sending BFI\n", len);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> memset(tch_data + 2, 0, len - 2);</span><br><span> _sched_compose_tch_ind(l1t, tn, fn, chan, tch_data, len);</span><br><span> break;</span><br><span>@@ -1284,8 +1288,12 @@</span><br><span> chan_state->codec[chan_state->dl_cmr],</span><br><span> chan_state->codec[chan_state->dl_ft],</span><br><span> AMR_BAD);</span><br><span style="color: hsl(0, 100%, 40%);">- if (rc < 2)</span><br><span style="color: hsl(0, 100%, 40%);">- break;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (rc < 2) {</span><br><span style="color: hsl(120, 100%, 40%);">+ LOGL1S(DL1P, LOGL_ERROR, l1t, bi->tn, chan, bi->fn,</span><br><span style="color: hsl(120, 100%, 40%);">+ "Failed to encode AMR_BAD frame (rc=%d), "</span><br><span style="color: hsl(120, 100%, 40%);">+ "not sending BFI\n", rc);</span><br><span style="color: hsl(120, 100%, 40%);">+ return -EINVAL;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> memset(tch_data + 2, 0, rc - 2);</span><br><span> break;</span><br><span> default:</span><br><span>@@ -1477,8 +1485,12 @@</span><br><span> chan_state->codec[chan_state->dl_cmr],</span><br><span> chan_state->codec[chan_state->dl_ft],</span><br><span> AMR_BAD);</span><br><span style="color: hsl(0, 100%, 40%);">- if (rc < 2)</span><br><span style="color: hsl(0, 100%, 40%);">- break;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (rc < 2) {</span><br><span style="color: hsl(120, 100%, 40%);">+ LOGL1S(DL1P, LOGL_ERROR, l1t, bi->tn, chan, bi->fn,</span><br><span style="color: hsl(120, 100%, 40%);">+ "Failed to encode AMR_BAD frame (rc=%d), "</span><br><span style="color: hsl(120, 100%, 40%);">+ "not sending BFI\n", rc);</span><br><span style="color: hsl(120, 100%, 40%);">+ return -EINVAL;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> memset(tch_data + 2, 0, rc - 2);</span><br><span> break;</span><br><span> default:</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-bts/+/14876">change 14876</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-bts/+/14876"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-bts </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I70ce98c5697b9ce6fac7ab57a5d70f3201db29d9 </div>
<div style="display:none"> Gerrit-Change-Number: 14876 </div>
<div style="display:none"> Gerrit-PatchSet: 6 </div>
<div style="display:none"> Gerrit-Owner: laforge <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: fixeria <axilirator@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: laforge <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-Reviewer: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>