scheduler: Fix reading out of buffer during tx of dummy burst on PDCH TS with EGPRS enabled

If for whatever reason (eg fn-advance too small) there's no burst available for a PDCH TS where EGPRS is enabled, a dummy burst of size GSM_BURST_LEN would be selected in _sched_dl_burst(), but the nbits length would still be set to EGPRS_BURST_LEN above by func() pointer (tx_pdtch_fn()). As a result, trx_if_send_burst() would later read EGPRS_BURST_LEN from the dummy burst of size GSM_BURST_LEN. The issue was found by ASan. See OS#4606 for more info. Fixes: OS#4606 Change-Id: Iba6ccceed5c0f1db810259768678f174d39cbf8b
author: Pau Espin Pedrol <pespin@sysmocom.de> 2020-06-09 17:57:08 +0200
committer: pespin <pespin@sysmocom.de> 2020-06-12 10:01:46 +0000
commit: 0bf87ccc3e43fb3ed638b6991563a297fd8b041a (patch)
tree: 1359d8abe9614bdbba7bb033d3967a18b4358dbd /src/common/scheduler.c
parent: 8c6bc4dbb478cf3d0135126e62515a3a0e1e56b2 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/src/common/scheduler.c b/src/common/scheduler.c
index 55cb36a7..021a4cd6 100644
--- a/src/common/scheduler.c
+++ b/src/common/scheduler.c
@@ -1211,6 +1211,8 @@ no_data:
 			     trx_chan_desc[chan].name, fn, tn, bid);
 #endif
 		bits = (ubit_t *) dummy_burst;
+		if (nbits)
+			*nbits = ARRAY_SIZE(dummy_burst);
 	}
 
 	return bits;
author	Pau Espin Pedrol <pespin@sysmocom.de>	2020-06-09 17:57:08 +0200
committer	pespin <pespin@sysmocom.de>	2020-06-12 10:01:46 +0000
commit	0bf87ccc3e43fb3ed638b6991563a297fd8b041a (patch)
tree	1359d8abe9614bdbba7bb033d3967a18b4358dbd /src/common/scheduler.c
parent	8c6bc4dbb478cf3d0135126e62515a3a0e1e56b2 (diff)