falconia submitted this change.
lapd_sap_stop(): fix use of uninitialized stack memory
DL-RELEASE in lapd_core can be done in two ways: by sending DISC
and waiting for UA, or a purely local clearing of state. The
selection between these two modes is communicated via an extended
field in struct osmo_dlsap_prim that extends beyond the standard
struct osmo_prim_hdr. lapd_sap_stop() is a wrapper function that
sends DL-RELEASE to lapd_core; its only current users are the
vendor-specific E1 BTS handlers for Ericsson and Nokia in OsmoBSC,
and both of those need local release handling. This wrapper
function does allocate correctly-sized struct osmo_dlsap_prim
on the stack, but until now it failed to initialize the extended
field - hence the actual behavior was subject to laws of chance,
depending on uninitialized content of stack memory.
Change-Id: Ic1469698ee8edf9b6fb55df8f79cc062be711f61
---
M src/input/lapd.c
1 file changed, 7 insertions(+), 0 deletions(-)
diff --git a/src/input/lapd.c b/src/input/lapd.c
index 88cc26f..b335923 100644
--- a/src/input/lapd.c
+++ b/src/input/lapd.c
@@ -550,6 +550,13 @@
msg->l3h = msg->data;
osmo_prim_init(&dp.oph, 0, PRIM_DL_REL, PRIM_OP_REQUEST, msg);
+ /* DL-RELEASE can be done in two ways: by sending DISC and waiting
+ * for UA, or a purely local clearing of state. The only current
+ * users of this lapd_sap_stop() API are vendor-specific E1 BTS
+ * handlers for Ericsson and Nokia in OsmoBSC, and both of them
+ * need local release handling. */
+ dp.u.rel_req.mode = 1;
+
/* send to L2 */
return lapd_recv_dlsap(&dp, &sap->dl.lctx);
}
To view, visit change 42680. To unsubscribe, or for help writing mail filters, visit settings.