diff options
author | Neels Hofmeyr <neels@hofmeyr.de> | 2018-03-08 03:17:48 +0100 |
---|---|---|
committer | Ivan Kluchnikov <kluchnikovi@gmail.com> | 2018-09-03 15:13:42 +0300 |
commit | dc5b45e275035a3287b3e215d6b6bab3b506dc79 (patch) | |
tree | 10a794e6eb0a696a23317bb3c74819ad06d07229 | |
parent | 2eee8d9728916fc9b6e3f0be970e2d6f3284ac7c (diff) |
gsm48_parse_meas_rep(): set num_cell=0 if no neighbor cells are reported
Set mr->num_cell to 0 if the bits reflect 0x7, which means that no neighbor
cell measurements are enclosed in the report.
The code in gsm48_parse_meas_rep() acknowledges that, but nevertheless left
num_cell == 7, and evaluating code commonly runs into the mistake of assuming
that actually seven neighbors are being reported on, like:
MEASUREMENT REPORT
0: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
1: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
2: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
3: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
4: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
5: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
6: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
There are only up to 6 slots for neighbors, the above listing actually printed
7, because num_cell == 7, which is a potential segfault. (sometimes it printed
uninitialized values instead of 0)
We could fix all meas rep consumers to know what num_cell == 7 means, but
instead setting it to 0 trivially fixes all of them.
Change-Id: If2da33915e9a5eba02e83fa5372908ab10044911
-rw-r--r-- | openbsc/src/libbsc/gsm_04_08_utils.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/openbsc/src/libbsc/gsm_04_08_utils.c b/openbsc/src/libbsc/gsm_04_08_utils.c index 98f079078..bc2bafc76 100644 --- a/openbsc/src/libbsc/gsm_04_08_utils.c +++ b/openbsc/src/libbsc/gsm_04_08_utils.c @@ -581,8 +581,11 @@ int gsm48_parse_meas_rep(struct gsm_meas_rep *rep, struct msgb *msg) rep->dl.sub.rx_qual = (data[2] >> 1) & 0x7; rep->num_cell = ((data[3] >> 6) & 0x3) | ((data[2] & 0x01) << 2); - if (rep->num_cell < 1 || rep->num_cell > 6) + if (rep->num_cell < 1 || rep->num_cell > 6) { + /* There are no neighbor cell reports present. */ + rep->num_cell = 0; return 0; + } /* an encoding nightmare in perfection */ mrc = &rep->cell[0]; |