This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
dexter gerrit-no-reply at lists.osmocom.orgHello Jenkins Builder, I'd like you to reexamine a change. Please visit https://gerrit.osmocom.org/5402 to look at the new patch set (#3). octphy: l1_oml: check returncode of trx_by_l1h() The function trx_by_l1h() is used to fetch the pointer to a an osmo_bts_trx from a list. The ID that is used to reference the transceiver comes from the incoming message. If the firmware sends odd identifiers (firmware bugs, damaged packets) the transceiver can not be found in the list and a nullpointer is returned, which then leads into a nullpointer derefernece problem. Check the returncode, and depending on the situation either return with -EINVAL or exit osmo-bts immediately. Change-Id: I04ef3b4896e1322c2a6d29ea86a88994c7748bf7 --- M src/osmo-bts-octphy/l1_oml.c 1 file changed, 35 insertions(+), 0 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/02/5402/3 diff --git a/src/osmo-bts-octphy/l1_oml.c b/src/osmo-bts-octphy/l1_oml.c index a1c384a..d57228d 100644 --- a/src/osmo-bts-octphy/l1_oml.c +++ b/src/osmo-bts-octphy/l1_oml.c @@ -54,6 +54,9 @@ bool no_fw_check = 0; +#define LOGPTRX(byTrxId, level, fmt, args...) \ + LOGP(DL1C, level, "(byTrxId %u) " fmt, byTrxId, ## args) + /* Map OSMOCOM logical channel type to OctPHY Logical channel type */ static tOCTVC1_GSM_LOGICAL_CHANNEL_COMBINATION_ENUM pchan_to_logChComb[_GSM_PCHAN_MAX] = { @@ -377,6 +380,10 @@ mOCTVC1_GSM_MSG_TRX_ACTIVATE_LOGICAL_CHANNEL_RSP_SWAP(ar); trx = trx_by_l1h(fl1, ar->TrxId.byTrxId); + if (!trx) { + LOGPTRX(ar->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id during lchan activation\n"); + return -EINVAL; + } lchan = get_lchan_by_lchid(trx, &ar->LchId); sapi = ar->LchId.bySAPI; @@ -488,6 +495,11 @@ } trx = trx_by_l1h(fl1, pcr->TrxId.byTrxId); + if (!trx) { + LOGPTRX(pcr->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id during cipher mode activation\n"); + return -EINVAL; + } + OSMO_ASSERT(pcr->TrxId.byTrxId == trx->nr); ts = &trx->ts[pcr->PchId.byTimeslotNb]; /* for some strange reason the response does not tell which @@ -687,6 +699,10 @@ mOCTVC1_GSM_MSG_TRX_DEACTIVATE_LOGICAL_CHANNEL_RSP_SWAP(ldr); trx = trx_by_l1h(fl1, ldr->TrxId.byTrxId); + if (!trx) { + LOGPTRX(ldr->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id during lchan deactivation\n"); + return -EINVAL; + } lchan = get_lchan_by_lchid(trx, &ldr->LchId); @@ -1266,6 +1282,10 @@ mOCTVC1_GSM_MSG_TRX_OPEN_RSP_SWAP(or); trx = trx_by_l1h(fl1h, or->TrxId.byTrxId); + if (!trx) { + LOGPTRX(or->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id during TRX opening procedure -- abort\n"); + exit(1); + } LOGP(DL1C, LOGL_INFO, "TRX-OPEN.resp(trx=%u) = %s\n", trx->nr, octvc1_rc2string(or->Header.ulReturnCode)); @@ -1394,6 +1414,11 @@ mOCTVC1_GSM_MSG_TRX_ACTIVATE_PHYSICAL_CHANNEL_RSP_SWAP(ar); trx = trx_by_l1h(fl1, ar->TrxId.byTrxId); + if (!trx) { + LOGPTRX(ar->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id during physical channel activation -- abort\n"); + exit(1); + } + ts_nr = ar->PchId.byTimeslotNb; OSMO_ASSERT(ts_nr <= ARRAY_SIZE(trx->ts)); @@ -1472,6 +1497,11 @@ struct gsm_bts_trx_ts *ts; trx = trx_by_l1h(fl1, ar->TrxId.byTrxId); + if (!trx) { + LOGPTRX(ar->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id during ts disconnection\n"); + return -EINVAL; + } + ts_nr = ar->PchId.byTimeslotNb; ts = &trx->ts[ts_nr]; @@ -1495,6 +1525,11 @@ mOCTVC1_GSM_MSG_TRX_ACTIVATE_PHYSICAL_CHANNEL_RSP_SWAP(ar); trx = trx_by_l1h(fl1, ar->TrxId.byTrxId); + if (!trx) { + LOGPTRX(ar->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id while connecting ts\n"); + return -EINVAL; + } + ts_nr = ar->PchId.byTimeslotNb; OSMO_ASSERT(ts_nr <= ARRAY_SIZE(trx->ts)); -- To view, visit https://gerrit.osmocom.org/5402 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: newpatchset Gerrit-Change-Id: I04ef3b4896e1322c2a6d29ea86a88994c7748bf7 Gerrit-PatchSet: 3 Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Owner: dexter <pmaier at sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: Max <msuraev at sysmocom.de> Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>