From 24bb7656cf2770db2e3a0a1462220d26236b6458 Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Wed, 10 Oct 2018 16:01:30 +0200 Subject: meas_rep.c: make sure to never use unset measurements In lchan->meas_rep[], any valid measurement that came in gets a backpointer to the lchan set. When the lchan is first allocated or cleared, all those backpointers are NULL and reliably indicate unset array entries. In get_field(), consider e.g. field MEAS_REP_UL_RXLEV_FULL: it might return a value even for an unset array entry, because there is no presence bit for that field. It would then likely return 0. Checking of get_field() return values in get_meas_rep_avg() just does >=0, so zero values *are* counted. Make sure to return -EINVAL if no lchan backpointer is set, so that none of these values can possibly count for an average. Change-Id: I80f4cef9cc06950fe163a7d5d747630dbd70ec36 --- src/osmo-bsc/meas_rep.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/osmo-bsc/meas_rep.c b/src/osmo-bsc/meas_rep.c index 73d9a1f21..ba5b9210f 100644 --- a/src/osmo-bsc/meas_rep.c +++ b/src/osmo-bsc/meas_rep.c @@ -27,6 +27,10 @@ static int get_field(const struct gsm_meas_rep *rep, enum meas_rep_field field) { + /* Uninitialized array index? */ + if (!rep->lchan) + return -EINVAL; + switch (field) { case MEAS_REP_DL_RXLEV_FULL: if (!(rep->flags & MEAS_REP_F_DL_VALID)) @@ -52,9 +56,9 @@ static int get_field(const struct gsm_meas_rep *rep, return rep->ul.full.rx_qual; case MEAS_REP_UL_RXQUAL_SUB: return rep->ul.sub.rx_qual; + default: + return -EINVAL; } - - return 0; } -- cgit v1.2.3