diff options
| author | Harald Welte <laforge@gnumonks.org> | 2019-07-21 12:18:02 +0200 |
|---|---|---|
| committer | fixeria <axilirator@gmail.com> | 2019-09-07 23:05:22 +0000 |
| commit | 9d5acaad5c8c43ebb5e37484040ca1e9c1d56f59 (patch) | |
| tree | 06c6cebe2961a164ec245a478f6467d9bd8ab3c1 /src | |
| parent | af2a8a6c81e2c19a96803c472eace69050a8c85b (diff) | |
osmo-bts-trx/scheduler: prevent uninitialized memory access
When sending an AMR BFI, we need to call osmo_amr_rtp_enc() with
AMR_BAD as the last parameter. This function returns the length
of encoded payload, which needs to be at least 2 octets long.
If osmo_amr_rtp_enc() returns a length value lower than 2 octets
(what should not happen in general), we should neither call
memset() on it, nor call _sched_compose_tch_ind().
Change-Id: I70ce98c5697b9ce6fac7ab57a5d70f3201db29d9
Fixes: CID#178648, CID#178637, CID#178651
Diffstat (limited to 'src')
| -rw-r--r-- | src/osmo-bts-trx/scheduler_trx.c | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/src/osmo-bts-trx/scheduler_trx.c b/src/osmo-bts-trx/scheduler_trx.c index ef241195..1a60443a 100644 --- a/src/osmo-bts-trx/scheduler_trx.c +++ b/src/osmo-bts-trx/scheduler_trx.c @@ -382,8 +382,12 @@ static void tx_tch_common(struct l1sched_trx *l1t, uint8_t tn, uint32_t fn, len = osmo_amr_rtp_enc(tch_data, chan_state->codec[chan_state->dl_cmr], chan_state->codec[chan_state->dl_ft], AMR_BAD); - if (len < 2) - break; + if (len < 2) { + LOGL1S(DL1P, LOGL_ERROR, l1t, tn, chan, fn, + "Failed to encode AMR_BAD frame (rc=%d), " + "not sending BFI\n", len); + return; + } memset(tch_data + 2, 0, len - 2); _sched_compose_tch_ind(l1t, tn, fn, chan, tch_data, len); break; @@ -1284,8 +1288,12 @@ bfi: chan_state->codec[chan_state->dl_cmr], chan_state->codec[chan_state->dl_ft], AMR_BAD); - if (rc < 2) - break; + if (rc < 2) { + LOGL1S(DL1P, LOGL_ERROR, l1t, bi->tn, chan, bi->fn, + "Failed to encode AMR_BAD frame (rc=%d), " + "not sending BFI\n", rc); + return -EINVAL; + } memset(tch_data + 2, 0, rc - 2); break; default: @@ -1477,8 +1485,12 @@ bfi: chan_state->codec[chan_state->dl_cmr], chan_state->codec[chan_state->dl_ft], AMR_BAD); - if (rc < 2) - break; + if (rc < 2) { + LOGL1S(DL1P, LOGL_ERROR, l1t, bi->tn, chan, bi->fn, + "Failed to encode AMR_BAD frame (rc=%d), " + "not sending BFI\n", rc); + return -EINVAL; + } memset(tch_data + 2, 0, rc - 2); break; default: |