<p>pespin has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/osmo-pcu/+/24747">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">pdch: Fix null MS access gprs_rlcmac_pdch::rcv_control_ack<br><br>If bts_ms_by_tlli() at the start of the function fails, ms could be<br>NULL. As a result "ms->nacc" access at the end of the function would<br>crash.<br>Solution:<br>In the function, we get the related expected TBF from pdch_ulc, and we only<br>continue if a TBF is found. Since tbf objects are always expected to<br>have a GprsMs, simply gather it from there.<br><br>Change-Id: I666ed5d157f42e74956fa49fc9eea85d27e63d44<br>---<br>M src/pdch.cpp<br>1 file changed, 6 insertions(+), 3 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-pcu refs/changes/47/24747/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/pdch.cpp b/src/pdch.cpp</span><br><span>index 8e0a24a..2b5159b 100644</span><br><span>--- a/src/pdch.cpp</span><br><span>+++ b/src/pdch.cpp</span><br><span>@@ -304,7 +304,7 @@</span><br><span> {</span><br><span>      struct gprs_rlcmac_tbf *tbf, *new_tbf;</span><br><span>       uint32_t tlli = packet->TLLI;</span><br><span style="color: hsl(0, 100%, 40%);">-        GprsMs *ms = bts_ms_by_tlli(bts(), tlli, GSM_RESERVED_TMSI);</span><br><span style="color: hsl(120, 100%, 40%);">+  GprsMs *ms;</span><br><span>  gprs_rlcmac_ul_tbf *ul_tbf;</span><br><span>  enum pdch_ulc_tbf_poll_reason reason;</span><br><span>        struct pdch_ulc_node *poll;</span><br><span>@@ -314,6 +314,7 @@</span><br><span>            LOGPDCH(this, DRLCMAC, LOGL_NOTICE, "PACKET CONTROL ACK with "</span><br><span>                     "unknown FN=%u TLLI=0x%08x (TRX %d TS %d)\n",</span><br><span>                      fn, tlli, trx_no(), ts_no);</span><br><span style="color: hsl(120, 100%, 40%);">+           ms = bts_ms_by_tlli(bts(), tlli, GSM_RESERVED_TMSI);</span><br><span>                 if (ms)</span><br><span>                      LOGPDCH(this, DRLCMAC, LOGL_NOTICE, "PACKET CONTROL ACK with "</span><br><span>                             "unknown TBF corresponds to MS with IMSI %s, TA %d, "</span><br><span>@@ -332,6 +333,8 @@</span><br><span>        tbf->n_reset(N3101);</span><br><span> </span><br><span>  tbf->update_ms(tlli, GPRS_RLCMAC_UL_TBF);</span><br><span style="color: hsl(120, 100%, 40%);">+  /* Gather MS from TBF, since it may be NULL or may have been merged during update_ms */</span><br><span style="color: hsl(120, 100%, 40%);">+       ms = tbf->ms();</span><br><span> </span><br><span>       LOGPTBF(tbf, LOGL_DEBUG, "FN=%" PRIu32 " Rx Packet Control Ack (reason=%s)\n",</span><br><span>           fn, get_value_string(pdch_ulc_tbf_poll_reason_names, reason));</span><br><span>@@ -353,7 +356,7 @@</span><br><span>                 tbf->n_reset(N3105);</span><br><span>              TBF_SET_ASS_STATE_DL(tbf, GPRS_RLCMAC_DL_ASS_NONE);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-         new_tbf = tbf->ms() ? ms_dl_tbf(tbf->ms()) : NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+              new_tbf = ms_dl_tbf(tbf->ms());</span><br><span>           if (!new_tbf) {</span><br><span>                      LOGPDCH(this, DRLCMAC, LOGL_ERROR, "Got ACK, but DL "</span><br><span>                              "TBF is gone TLLI=0x%08x\n", tlli);</span><br><span>@@ -385,7 +388,7 @@</span><br><span>          tbf->n_reset(N3105);</span><br><span>              TBF_SET_ASS_STATE_UL(tbf, GPRS_RLCMAC_UL_ASS_NONE);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-         new_tbf = tbf->ms() ? ms_ul_tbf(tbf->ms()) : NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+              new_tbf = ms_ul_tbf(tbf->ms());</span><br><span>           if (!new_tbf) {</span><br><span>                      LOGPDCH(this, DRLCMAC, LOGL_ERROR, "Got ACK, but UL "</span><br><span>                              "TBF is gone TLLI=0x%08x\n", tlli);</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-pcu/+/24747">change 24747</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-pcu/+/24747"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: osmo-pcu </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I666ed5d157f42e74956fa49fc9eea85d27e63d44 </div>
<div style="display:none"> Gerrit-Change-Number: 24747 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>