osmo-bts-{sysmo,lc15,oc2g}: fix segfault in ph_tch_req()

ph_tch_req() is a recursive function and conditionally calls itself at
the very bottom.  The recursive call happens iff all of the following
conditions are met:

* DTXd is enabled,
* AMR codec is in use,
* DTX DL AMR FSM state is recursive.

The problem is that ph_tch_req() may pull sizeof(*lsap) from the given
msgb twice: during the initial and the recursive calls.  The second
attempt to pull sizeof(*lsap) causes the process to abort, because
the remaining room is less than it's attempting to pull.

AFAICT, doing msgb_pull() is not really necessary, given that
l1sap_tch_rts_ind() thankfully does set msg->l2h before pushing
the lsap header in front of the actual frame.

Update osmo-bts-sysmo and its copy-pasted siblings, which are likely
affected too, except osmo-bts-octphy which does not do the recursion.

Change-Id: Ib349b74a9e4bd48c902286f872d3b0e9a068256c
Related: OS#5925

1 files changed, 1 insertions, 2 deletions

diff --git a/src/osmo-bts-oc2g/l1_if.c b/src/osmo-bts-oc2g/l1_if.c
index 194f82a4..3308a462 100644
--- a/src/osmo-bts-oc2g/l1_if.c
+++ b/src/osmo-bts-oc2g/l1_if.c
@@ -561,7 +561,6 @@ static int ph_tch_req(struct gsm_bts_trx *trx, struct msgb *msg,
 
 	/* create new message and fill data */
 	if (msg) {
-		msgb_pull(msg, sizeof(*l1sap));
 		/* create new message */
 		nmsg = l1p_msgb_alloc();
 		if (!nmsg)
@@ -570,7 +569,7 @@ static int ph_tch_req(struct gsm_bts_trx *trx, struct msgb *msg,
 		rc = l1if_tch_encode(lchan,
 				     l1p->u.phDataReq.msgUnitParam.u8Buffer,
 				     &l1p->u.phDataReq.msgUnitParam.u8Size,
-				     msg->data, msg->len, u32Fn, use_cache,
+				     msgb_l2(msg), msgb_l2len(msg), u32Fn, use_cache,
 				     l1sap->u.tch.marker);
 		if (rc < 0) {
 		/* no data encoded for L1: smth will be generated below */