Change in ...osmo-bts[master]: osmo-bts-trx/scheduler: prevent uninitialized memory access

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

fixeria gerrit-no-reply at lists.osmocom.org
Sat Sep 7 23:05:23 UTC 2019 

fixeria has submitted this change and it was merged. ( https://gerrit.osmocom.org/c/osmo-bts/+/14876 )

Change subject: osmo-bts-trx/scheduler: prevent uninitialized memory access
......................................................................

osmo-bts-trx/scheduler: prevent uninitialized memory access

When sending an AMR BFI, we need to call osmo_amr_rtp_enc() with
AMR_BAD as the last parameter. This function returns the length
of encoded payload, which needs to be at least 2 octets long.

If osmo_amr_rtp_enc() returns a length value lower than 2 octets
(what should not happen in general), we should neither call
memset() on it, nor call _sched_compose_tch_ind().

Change-Id: I70ce98c5697b9ce6fac7ab57a5d70f3201db29d9
Fixes: CID#178648, CID#178637, CID#178651
---
M src/osmo-bts-trx/scheduler_trx.c
1 file changed, 18 insertions(+), 6 deletions(-)

Approvals:
  laforge: Looks good to me, but someone else must approve
  pespin: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/osmo-bts-trx/scheduler_trx.c b/src/osmo-bts-trx/scheduler_trx.c
index ef24119..1a60443 100644
--- a/src/osmo-bts-trx/scheduler_trx.c
+++ b/src/osmo-bts-trx/scheduler_trx.c
@@ -382,8 +382,12 @@
 			len = osmo_amr_rtp_enc(tch_data,
 				chan_state->codec[chan_state->dl_cmr],
 				chan_state->codec[chan_state->dl_ft], AMR_BAD);
-			if (len < 2)
-				break;
+			if (len < 2) {
+				LOGL1S(DL1P, LOGL_ERROR, l1t, tn, chan, fn,
+				       "Failed to encode AMR_BAD frame (rc=%d), "
+				       "not sending BFI\n", len);
+				return;
+			}
 			memset(tch_data + 2, 0, len - 2);
 			_sched_compose_tch_ind(l1t, tn, fn, chan, tch_data, len);
 			break;
@@ -1284,8 +1288,12 @@
 					chan_state->codec[chan_state->dl_cmr],
 					chan_state->codec[chan_state->dl_ft],
 					AMR_BAD);
-				if (rc < 2)
-					break;
+				if (rc < 2) {
+					LOGL1S(DL1P, LOGL_ERROR, l1t, bi->tn, chan, bi->fn,
+					       "Failed to encode AMR_BAD frame (rc=%d), "
+					       "not sending BFI\n", rc);
+					return -EINVAL;
+				}
 				memset(tch_data + 2, 0, rc - 2);
 				break;
 			default:
@@ -1477,8 +1485,12 @@
 					chan_state->codec[chan_state->dl_cmr],
 					chan_state->codec[chan_state->dl_ft],
 					AMR_BAD);
-				if (rc < 2)
-					break;
+				if (rc < 2) {
+					LOGL1S(DL1P, LOGL_ERROR, l1t, bi->tn, chan, bi->fn,
+					       "Failed to encode AMR_BAD frame (rc=%d), "
+					       "not sending BFI\n", rc);
+					return -EINVAL;
+				}
 				memset(tch_data + 2, 0, rc - 2);
 				break;
 			default:

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/14876
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Change-Id: I70ce98c5697b9ce6fac7ab57a5d70f3201db29d9
Gerrit-Change-Number: 14876
Gerrit-PatchSet: 6
Gerrit-Owner: laforge <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <axilirator at gmail.com>
Gerrit-Reviewer: laforge <laforge at gnumonks.org>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190907/85a4bf43/attachment.htm>

More information about the gerrit-log mailing list