diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2020-06-09 17:57:08 +0200 |
---|---|---|
committer | pespin <pespin@sysmocom.de> | 2020-06-12 10:01:46 +0000 |
commit | 0bf87ccc3e43fb3ed638b6991563a297fd8b041a (patch) | |
tree | 1359d8abe9614bdbba7bb033d3967a18b4358dbd /src/common/scheduler.c | |
parent | 8c6bc4dbb478cf3d0135126e62515a3a0e1e56b2 (diff) |
scheduler: Fix reading out of buffer during tx of dummy burst on PDCH TS with EGPRS enabled
If for whatever reason (eg fn-advance too small) there's no burst
available for a PDCH TS where EGPRS is enabled, a dummy burst of size GSM_BURST_LEN
would be selected in _sched_dl_burst(), but the nbits length would still be set to
EGPRS_BURST_LEN above by func() pointer (tx_pdtch_fn()).
As a result, trx_if_send_burst() would later read EGPRS_BURST_LEN from the
dummy burst of size GSM_BURST_LEN.
The issue was found by ASan. See OS#4606 for more info.
Fixes: OS#4606
Change-Id: Iba6ccceed5c0f1db810259768678f174d39cbf8b
Diffstat (limited to 'src/common/scheduler.c')
-rw-r--r-- | src/common/scheduler.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/common/scheduler.c b/src/common/scheduler.c index 55cb36a7..021a4cd6 100644 --- a/src/common/scheduler.c +++ b/src/common/scheduler.c @@ -1211,6 +1211,8 @@ no_data: trx_chan_desc[chan].name, fn, tn, bid); #endif bits = (ubit_t *) dummy_burst; + if (nbits) + *nbits = ARRAY_SIZE(dummy_burst); } return bits; |