falconia has submitted this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/42680?usp=email )
Change subject: lapd_sap_stop(): fix use of uninitialized stack memory ......................................................................
lapd_sap_stop(): fix use of uninitialized stack memory
DL-RELEASE in lapd_core can be done in two ways: by sending DISC and waiting for UA, or a purely local clearing of state. The selection between these two modes is communicated via an extended field in struct osmo_dlsap_prim that extends beyond the standard struct osmo_prim_hdr. lapd_sap_stop() is a wrapper function that sends DL-RELEASE to lapd_core; its only current users are the vendor-specific E1 BTS handlers for Ericsson and Nokia in OsmoBSC, and both of those need local release handling. This wrapper function does allocate correctly-sized struct osmo_dlsap_prim on the stack, but until now it failed to initialize the extended field - hence the actual behavior was subject to laws of chance, depending on uninitialized content of stack memory.
Change-Id: Ic1469698ee8edf9b6fb55df8f79cc062be711f61 --- M src/input/lapd.c 1 file changed, 7 insertions(+), 0 deletions(-)
Approvals: fixeria: Looks good to me, but someone else must approve pespin: Looks good to me, but someone else must approve falconia: Looks good to me, approved Jenkins Builder: Verified
diff --git a/src/input/lapd.c b/src/input/lapd.c index 88cc26f..b335923 100644 --- a/src/input/lapd.c +++ b/src/input/lapd.c @@ -550,6 +550,13 @@ msg->l3h = msg->data; osmo_prim_init(&dp.oph, 0, PRIM_DL_REL, PRIM_OP_REQUEST, msg);
+ /* DL-RELEASE can be done in two ways: by sending DISC and waiting + * for UA, or a purely local clearing of state. The only current + * users of this lapd_sap_stop() API are vendor-specific E1 BTS + * handlers for Ericsson and Nokia in OsmoBSC, and both of them + * need local release handling. */ + dp.u.rel_req.mode = 1; + /* send to L2 */ return lapd_recv_dlsap(&dp, &sap->dl.lctx); }