pespin submitted this change.
rlcmac: tbf_dl: Fix msgb null ptr access if dl block contains several LLC frames
Fixes: Coverity CID#310023
Change-Id: I627724fda5b9ffcf13433ea69af908d725e94299
---
M src/rlcmac/tbf_dl.c
1 file changed, 23 insertions(+), 13 deletions(-)
diff --git a/src/rlcmac/tbf_dl.c b/src/rlcmac/tbf_dl.c
index 7fb4be9..3861cae 100644
--- a/src/rlcmac/tbf_dl.c
+++ b/src/rlcmac/tbf_dl.c
@@ -154,29 +154,29 @@
uint8_t len = blk->len;
const struct gprs_rlcmac_rlc_block_info *rdbi = &blk->block_info;
enum gprs_rlcmac_coding_scheme cs = blk->cs_last;
- struct osmo_gprs_rlcmac_prim *rlcmac_prim;
-
- struct gprs_rlcmac_rlc_llc_chunk frames[16], *frame;
+ struct gprs_rlcmac_rlc_llc_chunk frames[16];
int i, num_frames = 0;
int rc = 0;
LOGPTBFDL(dl_tbf, LOGL_DEBUG, "Assembling frames: (len=%d)\n", len);
- if (!dl_tbf->llc_rx_msg) {
- rlcmac_prim = gprs_rlcmac_prim_alloc_grr_unitdata_ind(
- dl_tbf->tbf.gre->tlli, NULL, GPRS_RLCMAC_LLC_PDU_MAX_LEN);
- dl_tbf->llc_rx_msg = rlcmac_prim->oph.msg;
- dl_tbf->llc_rx_msg->l3h = dl_tbf->llc_rx_msg->tail;
- } else {
- rlcmac_prim = msgb_rlcmac_prim(dl_tbf->llc_rx_msg);
- }
-
num_frames = gprs_rlcmac_rlc_data_from_dl_data(rdbi, cs, data,
&frames[0], ARRAY_SIZE(frames));
/* create LLC frames */
for (i = 0; i < num_frames; i++) {
- frame = frames + i;
+ struct gprs_rlcmac_rlc_llc_chunk *frame = &frames[i];
+ struct osmo_gprs_rlcmac_prim *rlcmac_prim;
+
+ if (!dl_tbf->llc_rx_msg) {
+ rlcmac_prim = gprs_rlcmac_prim_alloc_grr_unitdata_ind(dl_tbf->tbf.gre->tlli,
+ NULL,
+ GPRS_RLCMAC_LLC_PDU_MAX_LEN);
+ dl_tbf->llc_rx_msg = rlcmac_prim->oph.msg;
+ dl_tbf->llc_rx_msg->l3h = dl_tbf->llc_rx_msg->tail;
+ } else {
+ rlcmac_prim = msgb_rlcmac_prim(dl_tbf->llc_rx_msg);
+ }
if (frame->length) {
LOGPTBFDL(dl_tbf, LOGL_DEBUG, "Frame %d "
To view, visit change 31436. To unsubscribe, or for help writing mail filters, visit settings.