laforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/38138?usp=email )
Change subject: trau2rtp FR & EFR: fix uninitialized memory bug ......................................................................
trau2rtp FR & EFR: fix uninitialized memory bug
The implementation of osmo_trau2rtp() for FR and EFR speech frames had this bug: when moving individual bits from TRAU to RTP payload representation, the code would only set bits in the output buffer, but never clear them. The result is correct output only when the RTP payload buffer has been zeroed prior to calling the function, garbage otherwise.
OsmoMGW was not affected by this bug because it calls osmo_trau2rtp() with the output buffer pointed to a freshly allocated msgb, and msgb allocation in libosmocore memsets buffer memory to zeros. However, a sane API should not depend on previous content of output buffer memory, hence the function implementation in libosmotrau was still in the wrong.
Change-Id: I6e6693e096b920a973c8cc627e94884099d004b5 --- M src/trau/trau_rtp_conv.c 1 file changed, 2 insertions(+), 0 deletions(-)
Approvals: pespin: Looks good to me, approved Jenkins Builder: Verified laforge: Looks good to me, but someone else must approve fixeria: Looks good to me, but someone else must approve
diff --git a/src/trau/trau_rtp_conv.c b/src/trau/trau_rtp_conv.c index 06979c6..1a200c7 100644 --- a/src/trau/trau_rtp_conv.c +++ b/src/trau/trau_rtp_conv.c @@ -133,6 +133,7 @@ return 0;
out[0] = 0xd << 4; + memset(out + 1, 0, GSM_FR_BYTES - 1); /* reassemble d-bits */ i = 0; /* counts bits */ j = 4; /* counts output bits */ @@ -391,6 +392,7 @@ return 0;
out[0] = 0xc << 4; + memset(out + 1, 0, GSM_EFR_BYTES - 1); /* reassemble d-bits */ for (i = 1, j = 4; i < 39; i++, j++) out[j/8] |= (tf->d_bits[i] << (7-(j%8)));