[MERGED] osmo-bts[master]: Check readv() return value to prevent crash

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Max gerrit-no-reply at lists.osmocom.org
Fri Sep 8 12:57:46 UTC 2017


Max has submitted this change and it was merged.

Change subject: Check readv() return value to prevent crash
......................................................................


Check readv() return value to prevent crash

Previously result of readv() was used unconditionally so when it failed
and returned negative value it was treated like very large positive
which lead to memory corruption. Fix this and add proper error log.

Change-Id: I956c8d551f45c9dd43b5e9de11dfe20dd8783647
Related: SYS#3865
---
M src/osmo-bts-litecell15/l1_transp_hw.c
M src/osmo-bts-sysmo/l1_transp_hw.c
2 files changed, 16 insertions(+), 4 deletions(-)

Approvals:
  Pau Espin Pedrol: Looks good to me, but someone else must approve
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/osmo-bts-litecell15/l1_transp_hw.c b/src/osmo-bts-litecell15/l1_transp_hw.c
index 6381864..b526108 100644
--- a/src/osmo-bts-litecell15/l1_transp_hw.c
+++ b/src/osmo-bts-litecell15/l1_transp_hw.c
@@ -204,9 +204,15 @@
 		iov[i].iov_len = msgb_tailroom(msg[i]);
 	}
 
-
 	rc = readv(ofd->fd, iov, ARRAY_SIZE(iov));
-	count = rc / prim_size;
+	if (rc < 0) {
+		LOGP(DL1C, LOGL_ERROR, "failed to read from fd: %s\n", strerror(errno));
+		/* N. B: we do not abort to let the cycle below cleanup allocated memory properly,
+		   the return value is ignored by the caller anyway.
+		   TODO: use libexplain's explain_readv() to provide detailed error description */
+		count = 0;
+	} else
+		count = rc / prim_size;
 
 	for (i = 0; i < count; ++i) {
 		msgb_put(msg[i], prim_size);
diff --git a/src/osmo-bts-sysmo/l1_transp_hw.c b/src/osmo-bts-sysmo/l1_transp_hw.c
index da8ac3f..9c0a514 100644
--- a/src/osmo-bts-sysmo/l1_transp_hw.c
+++ b/src/osmo-bts-sysmo/l1_transp_hw.c
@@ -215,9 +215,15 @@
 		iov[i].iov_len = msgb_tailroom(msg[i]);
 	}
 
-
 	rc = readv(ofd->fd, iov, ARRAY_SIZE(iov));
-	count = rc / prim_size;
+	if (rc < 0) {
+		LOGP(DL1C, LOGL_ERROR, "failed to read from fd: %s\n", strerror(errno));
+		/* N. B: we do not abort to let the cycle below cleanup allocated memory properly,
+		   the return value is ignored by the caller anyway.
+		   TODO: use libexplain's explain_readv() to provide detailed error description */
+		count = 0;
+	} else
+		count = rc / prim_size;
 
 	for (i = 0; i < count; ++i) {
 		msgb_put(msg[i], prim_size);

-- 
To view, visit https://gerrit.osmocom.org/3878
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I956c8d551f45c9dd43b5e9de11dfe20dd8783647
Gerrit-PatchSet: 5
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Owner: Max <msuraev at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Max <msuraev at sysmocom.de>
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Pau Espin Pedrol <pespin at sysmocom.de>
Gerrit-Reviewer: daniel <dwillmann at sysmocom.de>



More information about the gerrit-log mailing list