pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-bts/+/27360 )
Change subject: bts-trx: amr: Fix return code of osmo_amr_rtp_dec() checked too late ......................................................................
bts-trx: amr: Fix return code of osmo_amr_rtp_dec() checked too late
If len is < 0, it means osmo_amr_rtp_dec() failed and some of the out variables there are not set. We should check the return code before continuing and using potentially uninitialized values.
Change-Id: I76020c6b5dc8d3e52e8c5be8cdecdf8a0bb52ed9 --- M src/osmo-bts-trx/sched_lchan_tchf.c 1 file changed, 4 insertions(+), 4 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/60/27360/1
diff --git a/src/osmo-bts-trx/sched_lchan_tchf.c b/src/osmo-bts-trx/sched_lchan_tchf.c index 08a58bb..b100fab 100644 --- a/src/osmo-bts-trx/sched_lchan_tchf.c +++ b/src/osmo-bts-trx/sched_lchan_tchf.c @@ -441,6 +441,10 @@ len = osmo_amr_rtp_dec(msg_tch->l2h, msgb_l2len(msg_tch), &cmr_codec, &cmi, &ft_codec, &bfi, &sti); + if (len < 0) { + LOGL1SB(DL1P, LOGL_ERROR, l1ts, br, "Cannot send invalid AMR payload\n"); + goto free_bad_msg; + } cmr = -1; ft = -1; for (i = 0; i < chan_state->codecs; i++) { @@ -478,10 +482,6 @@ LOGL1SB(DL1P, LOGL_ERROR, l1ts, br, "TCH mode invalid, please fix!\n"); goto free_bad_msg; } - if (len < 0) { - LOGL1SB(DL1P, LOGL_ERROR, l1ts, br, "Cannot send invalid AMR payload\n"); - goto free_bad_msg; - } if (msgb_l2len(msg_tch) != len) { LOGL1SB(DL1P, LOGL_ERROR, l1ts, br, "Cannot send payload with " "invalid length! (expecting %d, received %d)\n",