aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeels Hofmeyr <neels@hofmeyr.de>2018-03-08 03:17:48 +0100
committerNeels Hofmeyr <neels@hofmeyr.de>2018-03-08 03:28:54 +0100
commitf0141b95cd265017189b7e918c6c80889bbd135f (patch)
tree3b1fa143da3bbea3ff32ecdfde15d47c859e55a9
parentf93970b167aba2805cc67e1326591f31fbe93ada (diff)
gsm48_parse_meas_rep(): set num_cell=0 if no neighbor cells are reported
Set mr->num_cell to 0 if the bits reflect 0x7, which means that no neighbor cell measurements are enclosed in the report. The code in gsm48_parse_meas_rep() acknowledges that, but nevertheless left num_cell == 7, and evaluating code commonly runs into the mistake of assuming that actually seven neighbors are being reported on, like: MEASUREMENT REPORT 0: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0 1: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0 2: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0 3: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0 4: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0 5: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0 6: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0 There are only up to 6 slots for neighbors, the above listing actually printed 7, because num_cell == 7, which is a potential segfault. (sometimes it printed uninitialized values instead of 0) We could fix all meas rep consumers to know what num_cell == 7 means, but instead setting it to 0 trivially fixes all of them. Change-Id: Ie12210660a04f2d664ddc92e7ad7fc39ee474180
-rw-r--r--src/libbsc/gsm_04_08_utils.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/src/libbsc/gsm_04_08_utils.c b/src/libbsc/gsm_04_08_utils.c
index 3004e5dfb..b75b42f9f 100644
--- a/src/libbsc/gsm_04_08_utils.c
+++ b/src/libbsc/gsm_04_08_utils.c
@@ -551,8 +551,11 @@ int gsm48_parse_meas_rep(struct gsm_meas_rep *rep, struct msgb *msg)
rep->dl.sub.rx_qual = (data[2] >> 1) & 0x7;
rep->num_cell = ((data[3] >> 6) & 0x3) | ((data[2] & 0x01) << 2);
- if (rep->num_cell < 1 || rep->num_cell > 6)
+ if (rep->num_cell < 1 || rep->num_cell > 6) {
+ /* There are no neighbor cell reports present. */
+ rep->num_cell = 0;
return 0;
+ }
/* an encoding nightmare in perfection */
mrc = &rep->cell[0];