From 6dd7c4fb573bb51729560b700d4e837ce2b32fdb Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Mon, 23 Jan 2012 10:22:09 +0100 Subject: misc: Check return value of msgb _alloc functions Attempt to catch all functions that allocate a msgb and didn't check the return value of the allocation. --- src/common/oml.c | 6 +++- src/common/rsl.c | 61 ++++++++++++++++++++++++++++++++++------- src/osmo-bts-sysmo/tch.c | 71 +++++++++++++++++++++++++++++++++++++----------- 3 files changed, 111 insertions(+), 27 deletions(-) diff --git a/src/common/oml.c b/src/common/oml.c index a7bcc407..f6eaec75 100644 --- a/src/common/oml.c +++ b/src/common/oml.c @@ -288,10 +288,14 @@ int oml_fom_ack_nack(struct msgb *old_msg, uint8_t cause) { struct abis_om_hdr *old_oh = msgb_l2(old_msg); struct abis_om_fom_hdr *old_foh = msgb_l3(old_msg); - struct msgb *msg = oml_msgb_alloc(); + struct msgb *msg; struct abis_om_fom_hdr *foh; int is_manuf = 0; + msg = oml_msgb_alloc(); + if (!msg) + return -ENOMEM; + /* make sure to respond with MANUF if request was MANUF */ if (old_oh->mdisc == ABIS_OM_MDISC_MANUF) is_manuf = 1; diff --git a/src/common/rsl.c b/src/common/rsl.c index 4c4d397a..d0d38e86 100644 --- a/src/common/rsl.c +++ b/src/common/rsl.c @@ -465,11 +465,15 @@ static int rsl_rx_imm_ass(struct gsm_bts_trx *trx, struct msgb *msg) /* 8.4.19 sending RF CHANnel RELease ACKnowledge */ int rsl_tx_rf_rel_ack(struct gsm_lchan *lchan) { - struct msgb *msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + struct msgb *msg; uint8_t chan_nr = gsm_lchan2chan_nr(lchan); LOGP(DRSL, LOGL_NOTICE, "%s Tx RF CHAN REL ACK\n", gsm_lchan_name(lchan)); + msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + if (!msg) + return -ENOMEM; + rsl_dch_push_hdr(msg, RSL_MT_RF_CHAN_REL_ACK, chan_nr); msg->trx = lchan->ts->trx; @@ -479,12 +483,16 @@ int rsl_tx_rf_rel_ack(struct gsm_lchan *lchan) /* 8.4.2 sending CHANnel ACTIVation ACKnowledge */ int rsl_tx_chan_act_ack(struct gsm_lchan *lchan, struct gsm_time *gtime) { - struct msgb *msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + struct msgb *msg; uint8_t chan_nr = gsm_lchan2chan_nr(lchan); uint8_t ie[2]; LOGP(DRSL, LOGL_NOTICE, "%s Tx CHAN ACT ACK\n", gsm_lchan_name(lchan)); + msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + if (!msg) + return -ENOMEM; + gsm48_gen_starting_time(ie, gtime); msgb_tv_fixed_put(msg, RSL_IE_FRAME_NUMBER, 2, ie); rsl_dch_push_hdr(msg, RSL_MT_CHAN_ACTIV_ACK, chan_nr); @@ -730,11 +738,15 @@ static int rsl_rx_rf_chan_rel(struct gsm_lchan *lchan) static int tx_ciph_mod_compl_hack(struct gsm_lchan *lchan, uint8_t link_id, const char *imeisv) { - struct msgb *fake_msg = rsl_msgb_alloc(128); + struct msgb *fake_msg; struct gsm48_hdr *g48h; uint8_t mid_buf[11]; int rc; + fake_msg = rsl_msgb_alloc(128); + if (!fake_msg) + return -ENOMEM; + /* generate 04.08 RR message */ g48h = (struct gsm48_hdr *) msgb_put(fake_msg, sizeof(*g48h)); g48h->proto_discr = GSM48_PDISC_RR; @@ -857,12 +869,16 @@ static int rsl_rx_encr_cmd(struct msgb *msg) /* 8.4.11 MODE MODIFY NEGATIVE ACKNOWLEDGE */ static int rsl_tx_mode_modif_nack(struct gsm_lchan *lchan, uint8_t cause) { - struct msgb *msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + struct msgb *msg; uint8_t chan_nr = gsm_lchan2chan_nr(lchan); LOGP(DRSL, LOGL_NOTICE, "%s Tx MODE MODIFY NACK (cause = 0x%02x)\n", gsm_lchan_name(lchan), cause); + msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + if (!msg) + return -ENOMEM; + msg->len = 0; msg->data = msg->tail = msg->l3h; @@ -877,11 +893,15 @@ static int rsl_tx_mode_modif_nack(struct gsm_lchan *lchan, uint8_t cause) /* 8.4.10 MODE MODIFY ACK */ static int rsl_tx_mode_modif_ack(struct gsm_lchan *lchan) { - struct msgb *msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + struct msgb *msg; uint8_t chan_nr = gsm_lchan2chan_nr(lchan); LOGP(DRSL, LOGL_INFO, "%s Tx MODE MODIF ACK\n", gsm_lchan_name(lchan)); + msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + if (!msg) + return -ENOMEM; + rsl_dch_push_hdr(msg, RSL_MT_MODE_MODIFY_ACK, chan_nr); msg->trx = lchan->ts->trx; @@ -1020,7 +1040,7 @@ int rsl_tx_ipac_dlcx_ind(struct gsm_lchan *lchan, uint8_t cause) static int rsl_tx_ipac_XXcx_ack(struct gsm_lchan *lchan, int inc_pt2, uint8_t orig_msgt) { - struct msgb *msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + struct msgb *msg; uint8_t chan_nr = gsm_lchan2chan_nr(lchan); uint32_t *att_ip; const char *name; @@ -1039,6 +1059,11 @@ static int rsl_tx_ipac_XXcx_ack(struct gsm_lchan *lchan, int inc_pt2, LOGPC(DRSL, LOGL_INFO, "remote %s:%u)\n", inet_ntoa(ia), lchan->abis_ip.connect_port); + msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + if (!msg) + return -ENOMEM; + + /* Connection ID */ msgb_tv16_put(msg, RSL_IE_IPAC_CONN_ID, htons(lchan->abis_ip.conn_id)); @@ -1066,12 +1091,16 @@ static int rsl_tx_ipac_XXcx_ack(struct gsm_lchan *lchan, int inc_pt2, static int rsl_tx_ipac_dlcx_ack(struct gsm_lchan *lchan, int inc_conn_id) { - struct msgb *msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + struct msgb *msg; uint8_t chan_nr = gsm_lchan2chan_nr(lchan); LOGP(DRSL, LOGL_INFO, "%s RSL Tx IPAC_DLCX_ACK\n", gsm_lchan_name(lchan)); + msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + if (!msg) + return -ENOMEM; + if (inc_conn_id) msgb_tv_put(msg, RSL_IE_IPAC_CONN_ID, lchan->abis_ip.conn_id); @@ -1084,12 +1113,16 @@ static int rsl_tx_ipac_dlcx_ack(struct gsm_lchan *lchan, int inc_conn_id) static int rsl_tx_ipac_dlcx_nack(struct gsm_lchan *lchan, int inc_conn_id, uint8_t cause) { - struct msgb *msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + struct msgb *msg; uint8_t chan_nr = gsm_lchan2chan_nr(lchan); LOGP(DRSL, LOGL_INFO, "%s RSL Tx IPAC_DLCX_NACK\n", gsm_lchan_name(lchan)); + msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + if (!msg) + return -ENOMEM; + if (inc_conn_id) msgb_tv_put(msg, RSL_IE_IPAC_CONN_ID, lchan->abis_ip.conn_id); @@ -1107,13 +1140,17 @@ static int rsl_tx_ipac_dlcx_nack(struct gsm_lchan *lchan, int inc_conn_id, static int tx_ipac_XXcx_nack(struct gsm_lchan *lchan, uint8_t cause, int inc_ipport, uint8_t orig_msgtype) { - struct msgb *msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + struct msgb *msg; uint8_t chan_nr = gsm_lchan2chan_nr(lchan); /* FIXME: allocate new msgb and copy old over */ LOGP(DRSL, LOGL_NOTICE, "%s RSL Tx IPAC_BIND_NACK\n", gsm_lchan_name(lchan)); + msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + if (!msg) + return -ENOMEM; + if (inc_ipport) { uint32_t *att_ip; /* remote IP */ @@ -1378,11 +1415,15 @@ static int rslms_is_meas_rep(struct msgb *msg) /* 8.4.8 MEASUREMENT RESult */ static int rsl_tx_meas_res(struct gsm_lchan *lchan, uint8_t *l3, int l3_len) { - struct msgb *msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + struct msgb *msg; uint8_t chan_nr = gsm_lchan2chan_nr(lchan); LOGP(DRSL, LOGL_NOTICE, "%s Tx MEAS RES\n", gsm_lchan_name(lchan)); + msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); + if (!msg) + return -ENOMEM; + msgb_tv_put(msg, RSL_IE_MEAS_RES_NR, lchan->meas.res_nr++); if (lchan->meas.flags & LC_UL_M_F_RES_VALID) { uint8_t meas_res[16]; diff --git a/src/osmo-bts-sysmo/tch.c b/src/osmo-bts-sysmo/tch.c index 9ea78072..31f86896 100644 --- a/src/osmo-bts-sysmo/tch.c +++ b/src/osmo-bts-sysmo/tch.c @@ -97,9 +97,13 @@ void osmo_nibble_shift_left_unal(uint8_t *out, const uint8_t *in, static struct msgb *l1_to_rtppayload_fr(uint8_t *l1_payload, uint8_t payload_len) { - struct msgb *msg = msgb_alloc_headroom(1024, 128, "L1C-to-RTP"); + struct msgb *msg; uint8_t *cur; + msg = msgb_alloc_headroom(1024, 128, "L1C-to-RTP"); + if (!msg) + return NULL; + /* step1: reverse the bit-order of each payload byte */ osmo_revbytebits_buf(l1_payload, payload_len); @@ -134,9 +138,13 @@ static int rtppayload_to_l1_fr(uint8_t *l1_payload, const uint8_t *rtp_payload, #ifdef GsmL1_TchPlType_Efr static struct msgb *l1_to_rtppayload_efr(uint8_t *l1_payload, uint8_t payload_len) { - struct msgb *msg = msgb_alloc_headroom(1024, 128, "L1C-to-RTP"); + struct msgb *msg; uint8_t *cur; + msg = msgb_alloc_headroom(1024, 128, "L1C-to-RTP"); + if (!msg) + return NULL; + /* step1: reverse the bit-order of each payload byte */ osmo_revbytebits_buf(l1_payload, payload_len); @@ -155,9 +163,13 @@ static struct msgb *l1_to_rtppayload_efr(uint8_t *l1_payload, uint8_t payload_le static struct msgb *l1_to_rtppayload_hr(uint8_t *l1_payload, uint8_t payload_len) { - struct msgb *msg = msgb_alloc_headroom(1024, 128, "L1C-to-RTP"); + struct msgb *msg; uint8_t *cur; + msg = msgb_alloc_headroom(1024, 128, "L1C-to-RTP"); + if (!msg) + return NULL; + if (payload_len != GSM_HR_BYTES) { LOGP(DL1C, LOGL_ERROR, "L1 HR frame length %u != expected %u\n", payload_len, GSM_HR_BYTES); @@ -203,12 +215,16 @@ static int rtppayload_to_l1_hr(uint8_t *l1_payload, const uint8_t *rtp_payload, static struct msgb *l1_to_rtppayload_amr(uint8_t *l1_payload, uint8_t payload_len, struct amr_multirate_conf *amr_mrc) { - struct msgb *msg = msgb_alloc_headroom(1024, 128, "L1C-to-RTP"); + struct msgb *msg; uint8_t *cur; u_int8_t cmr; uint8_t ft = l1_payload[2] & 0xF; uint8_t amr_if2_len = payload_len - 2; + msg = msgb_alloc_headroom(1024, 128, "L1C-to-RTP"); + if (!msg) + return NULL; + #if 0 uint8_t cmr_idx = l1_payload[1]; @@ -375,17 +391,30 @@ void bts_model_rtp_rx_cb(struct osmo_rtp_socket *rs, const uint8_t *rtp_pl, unsigned int rtp_pl_len) { struct gsm_lchan *lchan = rs->priv; - struct msgb *msg = l1p_msgb_alloc(); - GsmL1_Prim_t *l1p = msgb_l1prim(msg); - GsmL1_PhDataReq_t *data_req = &l1p->u.phDataReq; - GsmL1_MsgUnitParam_t *msu_param = &data_req->msgUnitParam; - uint8_t *payload_type = &msu_param->u8Buffer[0]; - uint8_t *l1_payload = &msu_param->u8Buffer[1]; + struct msgb *msg; + GsmL1_Prim_t *l1p; + GsmL1_PhDataReq_t *data_req; + GsmL1_MsgUnitParam_t *msu_param; + uint8_t *payload_type; + uint8_t *l1_payload; int rc; DEBUGP(DRTP, "%s RTP IN: %s\n", gsm_lchan_name(lchan), osmo_hexdump(rtp_pl, rtp_pl_len)); + msg = l1p_msgb_alloc(); + if (!msg) { + LOGP(DRTP, LOGL_ERROR, "%s: Failed to allocate Rx payload.\n", + gsm_lchan_name(lchan)); + return; + } + + l1p = msgb_l1prim(msg); + data_req = &l1p->u.phDataReq; + msu_param = &data_req->msgUnitParam; + payload_type = &msu_param->u8Buffer[0]; + l1_payload = &msu_param->u8Buffer[1]; + switch (lchan->tch_mode) { case GSM48_CMODE_SPEECH_V1: if (lchan->type == GSM_LCHAN_TCH_F) { @@ -533,12 +562,22 @@ err_payload_match: struct msgb *gen_empty_tch_msg(struct gsm_lchan *lchan) { - struct msgb *msg = l1p_msgb_alloc(); - GsmL1_Prim_t *l1p = msgb_l1prim(msg); - GsmL1_PhDataReq_t *data_req = &l1p->u.phDataReq; - GsmL1_MsgUnitParam_t *msu_param = &data_req->msgUnitParam; - uint8_t *payload_type = &msu_param->u8Buffer[0]; - uint8_t *l1_payload = &msu_param->u8Buffer[1]; + struct msgb *msg; + GsmL1_Prim_t *l1p; + GsmL1_PhDataReq_t *data_req; + GsmL1_MsgUnitParam_t *msu_param; + uint8_t *payload_type; + uint8_t *l1_payload; + + msg = l1p_msgb_alloc(); + if (!msg) + return NULL; + + l1p = msgb_l1prim(msg); + data_req = &l1p->u.phDataReq; + msu_param = &data_req->msgUnitParam; + payload_type = &msu_param->u8Buffer[0]; + l1_payload = &msu_param->u8Buffer[1]; switch (lchan->tch_mode) { case GSM48_CMODE_SPEECH_AMR: -- cgit v1.2.3