Change in osmo-bts[master]: scheduler: Fix reading out of buffer during tx of dummy burst on PDCH...

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

pespin gerrit-no-reply at lists.osmocom.org
Fri Jun 12 10:01:46 UTC 2020


pespin has submitted this change. ( https://gerrit.osmocom.org/c/osmo-bts/+/18751 )

Change subject: scheduler: Fix reading out of buffer during tx of dummy burst on PDCH TS with EGPRS enabled
......................................................................

scheduler: Fix reading out of buffer during tx of dummy burst on PDCH TS with EGPRS enabled

If for whatever reason (eg fn-advance too small) there's no burst
available for a PDCH TS where EGPRS is enabled, a dummy burst of size GSM_BURST_LEN
would be selected in _sched_dl_burst(), but the nbits length would still be set to
EGPRS_BURST_LEN above by func() pointer (tx_pdtch_fn()).
As a result, trx_if_send_burst() would later read EGPRS_BURST_LEN from the
dummy burst of size GSM_BURST_LEN.

The issue was found by ASan. See OS#4606 for more info.

Fixes: OS#4606
Change-Id: Iba6ccceed5c0f1db810259768678f174d39cbf8b
---
M src/common/scheduler.c
1 file changed, 2 insertions(+), 0 deletions(-)

Approvals:
  fixeria: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/common/scheduler.c b/src/common/scheduler.c
index 55cb36a..021a4cd 100644
--- a/src/common/scheduler.c
+++ b/src/common/scheduler.c
@@ -1211,6 +1211,8 @@
 			     trx_chan_desc[chan].name, fn, tn, bid);
 #endif
 		bits = (ubit_t *) dummy_burst;
+		if (nbits)
+			*nbits = ARRAY_SIZE(dummy_burst);
 	}
 
 	return bits;

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/18751
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Change-Id: Iba6ccceed5c0f1db810259768678f174d39cbf8b
Gerrit-Change-Number: 18751
Gerrit-PatchSet: 2
Gerrit-Owner: pespin <pespin at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200612/b9a2d2d9/attachment.htm>


More information about the gerrit-log mailing list