Change in osmocom-bb[master]: layer23/l1ctl: fix NULL-pointer dereference reported by ASan

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Sun Mar 1 19:19:21 UTC 2020 

laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmocom-bb/+/17295 )

Change subject: layer23/l1ctl: fix NULL-pointer dereference reported by ASan
......................................................................

layer23/l1ctl: fix NULL-pointer dereference reported by ASan

Some applications (e.g. ccch_scan) may not initialize ms->cellsel.si,
some (e.g. mobile) may need some time to initialize it. Let's assume
that 'bs_ag_blks_res' is 1 if System Information is not available.

Change-Id: Ie695d9700c01ee1e6778950a2f3c8610b69d2143
---
M src/host/layer23/src/common/l1ctl.c
1 file changed, 8 insertions(+), 1 deletion(-)

Approvals:
  Jenkins Builder: Verified
  pespin: Looks good to me, but someone else must approve
  laforge: Looks good to me, approved



diff --git a/src/host/layer23/src/common/l1ctl.c b/src/host/layer23/src/common/l1ctl.c
index de66972..b6ee455 100644
--- a/src/host/layer23/src/common/l1ctl.c
+++ b/src/host/layer23/src/common/l1ctl.c
@@ -218,6 +218,7 @@
 	struct rx_meas_stat *meas = &ms->meas;
 	uint8_t chan_type, chan_ts, chan_ss;
 	uint8_t gsmtap_chan_type;
+	uint8_t bs_ag_blks_res;
 	struct gsm_time tm;
 
 	if (msgb_l1len(msg) < sizeof(*dl)) {
@@ -302,7 +303,13 @@
 		return 0;
 	}
 
-	gsmtap_chan_type = chantype_rsl2gsmtap_ext(chan_type, dl->link_id, tm.fn, ms->cellsel.si->bs_ag_blks_res);
+	/* May not be initialized in some applications (e.g. ccch_scan) */
+	if (ms->cellsel.si != NULL)
+		bs_ag_blks_res = ms->cellsel.si->bs_ag_blks_res;
+	else /* fall-back to 1 (this is what OsmoBTS does) */
+		bs_ag_blks_res = 1;
+
+	gsmtap_chan_type = chantype_rsl2gsmtap_ext(chan_type, dl->link_id, tm.fn, bs_ag_blks_res);
 	/* don't log fill frames via GSMTAP; they serve no purpose other than
 	 * to clog up your logs */
 	if (!is_fill_frame(gsmtap_chan_type, ccch->data)) {

-- 
To view, visit https://gerrit.osmocom.org/c/osmocom-bb/+/17295
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmocom-bb
Gerrit-Branch: master
Gerrit-Change-Id: Ie695d9700c01ee1e6778950a2f3c8610b69d2143
Gerrit-Change-Number: 17295
Gerrit-PatchSet: 4
Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Vadim Yanitskiy <axilirator at gmail.com>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200301/4d793b14/attachment.htm>

More information about the gerrit-log mailing list