[S] Change in libosmo-gprs[master]: rlcmac: tbf_dl: Fix msgb null ptr access if dl block contains several... - gerrit-log

27 Feb 2023

pespin has submitted this change. ( https://gerrit.osmocom.org/c/libosmo-gprs/+/31436 )
Change subject: rlcmac: tbf_dl: Fix msgb null ptr access if dl block contains several LLC frames
......................................................................
rlcmac: tbf_dl: Fix msgb null ptr access if dl block contains several LLC frames
Fixes: Coverity CID#310023
Change-Id: I627724fda5b9ffcf13433ea69af908d725e94299
---
M src/rlcmac/tbf_dl.c
1 file changed, 23 insertions(+), 13 deletions(-)
Approvals:
  Jenkins Builder: Verified
  fixeria: Looks good to me, approved

diff --git a/src/rlcmac/tbf_dl.c b/src/rlcmac/tbf_dl.c
index 7fb4be9..3861cae 100644
--- a/src/rlcmac/tbf_dl.c
+++ b/src/rlcmac/tbf_dl.c
@@ -154,29 +154,29 @@
    uint8_t len = blk->len;
    const struct gprs_rlcmac_rlc_block_info *rdbi = &blk->block_info;
    enum gprs_rlcmac_coding_scheme cs = blk->cs_last;
-	struct osmo_gprs_rlcmac_prim *rlcmac_prim;
-
-	struct gprs_rlcmac_rlc_llc_chunk frames[16], *frame;
+	struct gprs_rlcmac_rlc_llc_chunk frames[16];
    int i, num_frames = 0;
    int rc = 0;
LOGPTBFDL(dl_tbf, LOGL_DEBUG, "Assembling frames: (len=%d)\n", len);
-	if (!dl_tbf->llc_rx_msg) {
-		rlcmac_prim = gprs_rlcmac_prim_alloc_grr_unitdata_ind(
-				dl_tbf->tbf.gre->tlli, NULL, GPRS_RLCMAC_LLC_PDU_MAX_LEN);
-		dl_tbf->llc_rx_msg = rlcmac_prim->oph.msg;
-		dl_tbf->llc_rx_msg->l3h = dl_tbf->llc_rx_msg->tail;
-	} else {
-		rlcmac_prim = msgb_rlcmac_prim(dl_tbf->llc_rx_msg);
-	}
-
    num_frames = gprs_rlcmac_rlc_data_from_dl_data(rdbi, cs, data,
    					       &frames[0], ARRAY_SIZE(frames));
/* create LLC frames */
    for (i = 0; i < num_frames; i++) {
-		frame = frames + i;
+		struct gprs_rlcmac_rlc_llc_chunk *frame = &frames[i];
+		struct osmo_gprs_rlcmac_prim *rlcmac_prim;
+
+		if (!dl_tbf->llc_rx_msg) {
+			rlcmac_prim = gprs_rlcmac_prim_alloc_grr_unitdata_ind(dl_tbf->tbf.gre->tlli,
+									      NULL,
+									      GPRS_RLCMAC_LLC_PDU_MAX_LEN);
+			dl_tbf->llc_rx_msg = rlcmac_prim->oph.msg;
+			dl_tbf->llc_rx_msg->l3h = dl_tbf->llc_rx_msg->tail;
+		} else {
+			rlcmac_prim = msgb_rlcmac_prim(dl_tbf->llc_rx_msg);
+		}
if (frame->length) {
    		LOGPTBFDL(dl_tbf, LOGL_DEBUG, "Frame %d "
-- 
To view, visit https://gerrit.osmocom.org/c/libosmo-gprs/+/31436
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmo-gprs
Gerrit-Branch: master
Gerrit-Change-Id: I627724fda5b9ffcf13433ea69af908d725e94299
Gerrit-Change-Number: 31436
Gerrit-PatchSet: 2
Gerrit-Owner: pespin pespin@sysmocom.de
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria vyanitskiy@sysmocom.de
Gerrit-Reviewer: pespin pespin@sysmocom.de
Gerrit-MessageType: merged



    