fixeria submitted this change.

View Change

trxcon/l1sched: fix NULL pointer dereference in tx_tch[fh]_fn()

If msg is NULL, we're inducing a BFI condition at the BTS side receiver
by sending a TCH/A[FH]S block with invalid CRC6.  In this case we need
to skip the rest of the function and jump to send_burst immediately.

Change-Id: I159b2ed455377c77d8764f9320efd15333129afb
Fixes: 7c00190b "trxcon/l1sched: fix sending dummy TCH/A[FH]S blocks"
Fixes: CID#368538
---
M src/host/trxcon/src/sched_lchan_tchf.c
M src/host/trxcon/src/sched_lchan_tchh.c
2 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/src/host/trxcon/src/sched_lchan_tchf.c b/src/host/trxcon/src/sched_lchan_tchf.c
index d11b314..7cc1856 100644
--- a/src/host/trxcon/src/sched_lchan_tchf.c
+++ b/src/host/trxcon/src/sched_lchan_tchf.c
@@ -321,6 +321,8 @@
 					    lchan->amr.codecs,
 					    lchan->amr.ul_ft,
 					    lchan->amr.ul_cmr);
+		if (msg == NULL)
+			goto send_burst;
 		break;
 	}
 	/* CSD (TCH/F14.4): 14.5 kbit/s radio interface rate */
diff --git a/src/host/trxcon/src/sched_lchan_tchh.c b/src/host/trxcon/src/sched_lchan_tchh.c
index 0d3de00..6c88d19 100644
--- a/src/host/trxcon/src/sched_lchan_tchh.c
+++ b/src/host/trxcon/src/sched_lchan_tchh.c
@@ -528,6 +528,8 @@
 					    lchan->amr.codecs,
 					    lchan->amr.ul_ft,
 					    lchan->amr.ul_cmr);
+		if (msg == NULL)
+			goto send_burst;
 		break;
 	}
 	/* CSD (TCH/H4.8): 6.0 kbit/s radio interface rate */

To view, visit change 36910. To unsubscribe, or for help writing mail filters, visit settings.