SI10: Fix uninitialized l_bts pointer

l_bts must be declared outside the for-loop. If the loop is passed with
n_bts set the first time, l_bts is set. If the loop is passed with
n_bts set next time(s), l_bts is used to encode additional neighbor
cell infos.

Related: CID#330310 and CID#330311
Change-Id: I9dbbd066075f9ccb331616a2b59b46b1b44c8b4c

1 files changed, 3 insertions, 2 deletions

diff --git a/src/osmo-bsc/system_information.c b/src/osmo-bsc/system_information.c
index 477e9fab3..141a720b1 100644
--- a/src/osmo-bsc/system_information.c
+++ b/src/osmo-bsc/system_information.c
@@ -1421,7 +1421,7 @@ int gsm_generate_si10(struct gsm48_system_information_type_10 *si10, size_t len,
 		      const struct gsm_subscriber_connection *conn)
 {
 	struct bitvec *nbv;
-	struct gsm_bts *s_bts = conn->lchan->ts->trx->bts;
+	struct gsm_bts *s_bts = conn->lchan->ts->trx->bts, *l_bts = NULL;
 	int i;
 	bool any_neighbor = false;
 	int rc;
@@ -1443,7 +1443,7 @@ int gsm_generate_si10(struct gsm48_system_information_type_10 *si10, size_t len,
 
 	/* Get up to 32 possible neighbor frequencies that SI10 can refer to. */
 	for (i = 0; i < 32; i++) {
-		struct gsm_bts *c_bts, *n_bts, *l_bts;
+		struct gsm_bts *c_bts, *n_bts;
 		struct gsm_subscriber_connection *c;
 		unsigned int save_cur_bit;
 		int16_t arfcn;
@@ -1478,6 +1478,7 @@ int gsm_generate_si10(struct gsm48_system_information_type_10 *si10, size_t len,
 				save_cur_bit = bv.cur_bit;
 				/* Nth neighbor, so add rest octets with differential cell info. */
 				LOGP(DRR, LOGL_INFO, "Append cell ID %d to SI 10.\n", n_bts->cell_identity);
+				OSMO_ASSERT(l_bts);
 				rc = si10_rest_octets_encode_other(s_bts, &bv, l_bts, n_bts, last_i, i);
 				if (rc < 0) {
 					LOGP(DRR, LOGL_INFO, "Skip cell ID %d, SI 10 would overflow.\n",