[MERGED] osmo-bts[master]: octphy: l1_oml: check returncode of trx_by_l1h()

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Wed Dec 20 15:44:25 UTC 2017 

Harald Welte has submitted this change and it was merged.

Change subject: octphy: l1_oml: check returncode of trx_by_l1h()
......................................................................


octphy: l1_oml: check returncode of trx_by_l1h()

The function trx_by_l1h() is used to fetch the pointer to a an
osmo_bts_trx from a list. The ID that is used to reference the
transceiver comes from the incoming message. If the firmware
sends odd identifiers (firmware bugs, damaged packets) the
transceiver can not be found in the list and a nullpointer is
returned, which then leads into a nullpointer derefernece
problem.

Check the returncode, and depending on the situation either
return with -EINVAL or exit osmo-bts immediately.

Change-Id: I04ef3b4896e1322c2a6d29ea86a88994c7748bf7
---
M src/osmo-bts-octphy/l1_oml.c
1 file changed, 35 insertions(+), 0 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/osmo-bts-octphy/l1_oml.c b/src/osmo-bts-octphy/l1_oml.c
index a1c384a..d57228d 100644
--- a/src/osmo-bts-octphy/l1_oml.c
+++ b/src/osmo-bts-octphy/l1_oml.c
@@ -54,6 +54,9 @@
 
 bool no_fw_check = 0;
 
+#define LOGPTRX(byTrxId, level, fmt, args...) \
+	LOGP(DL1C, level, "(byTrxId %u) " fmt, byTrxId, ## args)
+
 /* Map OSMOCOM logical channel type to OctPHY Logical channel type */
 static tOCTVC1_GSM_LOGICAL_CHANNEL_COMBINATION_ENUM pchan_to_logChComb[_GSM_PCHAN_MAX] =
 {
@@ -377,6 +380,10 @@
 
 	mOCTVC1_GSM_MSG_TRX_ACTIVATE_LOGICAL_CHANNEL_RSP_SWAP(ar);
 	trx = trx_by_l1h(fl1, ar->TrxId.byTrxId);
+	if (!trx) {
+		LOGPTRX(ar->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id during lchan activation\n");
+		return -EINVAL;
+	}
 
 	lchan = get_lchan_by_lchid(trx, &ar->LchId);
 	sapi = ar->LchId.bySAPI;
@@ -488,6 +495,11 @@
 	}
 
 	trx = trx_by_l1h(fl1, pcr->TrxId.byTrxId);
+	if (!trx) {
+		LOGPTRX(pcr->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id during cipher mode activation\n");
+		return -EINVAL;
+	}
+
 	OSMO_ASSERT(pcr->TrxId.byTrxId == trx->nr);
 	ts = &trx->ts[pcr->PchId.byTimeslotNb];
 	/* for some strange reason the response does not tell which
@@ -687,6 +699,10 @@
 
 	mOCTVC1_GSM_MSG_TRX_DEACTIVATE_LOGICAL_CHANNEL_RSP_SWAP(ldr);
 	trx = trx_by_l1h(fl1, ldr->TrxId.byTrxId);
+	if (!trx) {
+		LOGPTRX(ldr->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id during lchan deactivation\n");
+		return -EINVAL;
+	}
 
 	lchan = get_lchan_by_lchid(trx, &ldr->LchId);
 
@@ -1266,6 +1282,10 @@
 
 	mOCTVC1_GSM_MSG_TRX_OPEN_RSP_SWAP(or);
 	trx = trx_by_l1h(fl1h, or->TrxId.byTrxId);
+	if (!trx) {
+		LOGPTRX(or->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id during TRX opening procedure -- abort\n");
+		exit(1);
+	}
 
 	LOGP(DL1C, LOGL_INFO, "TRX-OPEN.resp(trx=%u) = %s\n",
 		trx->nr, octvc1_rc2string(or->Header.ulReturnCode));
@@ -1394,6 +1414,11 @@
 
 	mOCTVC1_GSM_MSG_TRX_ACTIVATE_PHYSICAL_CHANNEL_RSP_SWAP(ar);
 	trx = trx_by_l1h(fl1, ar->TrxId.byTrxId);
+	if (!trx) {
+		LOGPTRX(ar->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id during physical channel activation -- abort\n");
+		exit(1);
+	}
+
 	ts_nr = ar->PchId.byTimeslotNb;
 	OSMO_ASSERT(ts_nr <= ARRAY_SIZE(trx->ts));
 
@@ -1472,6 +1497,11 @@
 	struct gsm_bts_trx_ts *ts;
 
 	trx = trx_by_l1h(fl1, ar->TrxId.byTrxId);
+	if (!trx) {
+		LOGPTRX(ar->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id during ts disconnection\n");
+		return -EINVAL;
+	}
+
 	ts_nr = ar->PchId.byTimeslotNb;
 	ts = &trx->ts[ts_nr];
 
@@ -1495,6 +1525,11 @@
 
 	mOCTVC1_GSM_MSG_TRX_ACTIVATE_PHYSICAL_CHANNEL_RSP_SWAP(ar);
 	trx = trx_by_l1h(fl1, ar->TrxId.byTrxId);
+	if (!trx) {
+		LOGPTRX(ar->TrxId.byTrxId, LOGL_ERROR, "response with unexpected physical transceiver-id while connecting ts\n");
+		return -EINVAL;
+	}
+
 	ts_nr = ar->PchId.byTimeslotNb;
 	OSMO_ASSERT(ts_nr <= ARRAY_SIZE(trx->ts));
 

-- 
To view, visit https://gerrit.osmocom.org/5402
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I04ef3b4896e1322c2a6d29ea86a88994c7748bf7
Gerrit-PatchSet: 3
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Owner: dexter <pmaier at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Max <msuraev at sysmocom.de>
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>

More information about the gerrit-log mailing list