diff options
| author | Neels Hofmeyr <nhofmeyr@sysmocom.de> | 2016-12-28 20:18:31 +0100 |
|---|---|---|
| committer | Neels Hofmeyr <nhofmeyr@sysmocom.de> | 2017-01-06 13:54:04 +0000 |
| commit | b78a4a6dfef217c538d45949a6ae725e22a36b05 (patch) | |
| tree | cbeaacc514e9392bfac2824abf6945a9e4440ce9 | |
| parent | 06bdb3550c7dea052884a65e5a585d4d79d8fe7d (diff) | |
fix segfault: check for NULL tbf in sched_select_ctrl_msg()
Apparently fixes a corrupted stack looking like this on sysmobts:
(gdb) run
Starting program: /usr/bin/osmo-pcu -c /etc/osmocom/osmo-pcu.cfg
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
<000b> telnet_interface.c:95 telnet at 127.0.0.1 4240
<0001> osmobts_sock.cpp:227 Opening OsmoPCU L1 interface to OsmoBTS
<0001> osmobts_sock.cpp:285 osmo-bts PCU socket has been connected
<0001> pcu_l1_if.cpp:368 BTS available
<0008> gprs_ns.c:233 NSVCI=65534 Creating NS-VC
<0008> gprs_ns.c:233 NSVCI=100 Creating NS-VC
<0008> gprs_ns.c:1568 NSEI=100 RESET procedure based on API request
<0008> gprs_ns.c:393 NSEI=100 Tx NS RESET (NSVCI=100, cause=O&M intervention)
<0001> pcu_l1_if.cpp:83 Sending activate request: trx=0 ts=2
<0001> pcu_l1_if.cpp:495 PDCH: trx=0 ts=2
<0001> pcu_l1_if.cpp:83 Sending activate request: trx=0 ts=3
<0001> pcu_l1_if.cpp:495 PDCH: trx=0 ts=3
<0001> pcu_l1_if.cpp:83 Sending activate request: trx=0 ts=4
<0001> pcu_l1_if.cpp:495 PDCH: trx=0 ts=4
<0001> pcu_l1_if.cpp:83 Sending activate request: trx=0 ts=5
<0001> pcu_l1_if.cpp:495 PDCH: trx=0 ts=5
<0001> pcu_l1_if.cpp:83 Sending activate request: trx=0 ts=6
<0001> pcu_l1_if.cpp:495 PDCH: trx=0 ts=6
<0001> pcu_l1_if.cpp:83 Sending activate request: trx=0 ts=7
<0001> pcu_l1_if.cpp:495 PDCH: trx=0 ts=7
<0001> pcu_l1_if.cpp:319 RACH request received: sapi=1 qta=0, ra=120, fn=103198
<0009> tbf_ul.cpp:373 LLC [PCU -> SGSN] TBF(TFI=0 TLLI=0x7f2dd569 DIR=UL STATE=FLOW) len=6
<0008> gprs_ns.c:684 All NS-VCs for NSEI 100 are either dead or blocked!
Program received signal SIGSEGV, Segmentation fault.
gprs_rlcmac_rcv_rts_block (bts=0x60a08, trx=trx@entry=0 '\000', ts=ts@entry=4 '\004', fn=7, fn@entry=103272,
block_nr=block_nr@entry=0 '\000') at gprs_rlcmac_sched.cpp:349
349 gprs_rlcmac_sched.cpp: No such file or directory.
(gdb) bt
#0 gprs_rlcmac_rcv_rts_block (bts=0x60a08, trx=trx@entry=0 '\000', ts=ts@entry=4 '\004', fn=7, fn@entry=103272,
block_nr=block_nr@entry=0 '\000') at gprs_rlcmac_sched.cpp:349
#1 0x0001151c in pcu_rx_rts_req_pdtch (trx=<optimized out>, ts=<optimized out>, fn=103272, block_nr=<optimized out>)
at pcu_l1_if.cpp:279
#2 0x0000bfcc in handle_ph_readytosend_ind (fl1h=0xafa40, rts_ind=0xb03f8) at osmo-bts-sysmo/sysmo_l1_if.c:142
#3 l1if_handle_l1prim (wq=<optimized out>, fl1h=0xafa40, msg=0xb0330) at osmo-bts-sysmo/sysmo_l1_if.c:259
#4 0x4fcd6330 in osmo_fd_disp_fds (_eset=0xbefffb68, _wset=0xbefffae8, _rset=0xbefffa68) at select.c:149
#5 osmo_select_main (polling=<optimized out>) at select.c:189
#6 0x0000b2a0 in main (argc=<optimized out>, argv=0x66628 <_ZStL8__ioinit>) at pcu_main.cpp:295
Fixes: coverity CID#158969
Related: https://lists.osmocom.org/pipermail/osmocom-net-gprs/2016-December/000785.html
Change-Id: I357492e558e98cfdbf5bb3438b5013029195b02b
| -rw-r--r-- | src/gprs_rlcmac_sched.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/gprs_rlcmac_sched.cpp b/src/gprs_rlcmac_sched.cpp index fdda79d4..8b27cacd 100644 --- a/src/gprs_rlcmac_sched.cpp +++ b/src/gprs_rlcmac_sched.cpp @@ -173,6 +173,9 @@ static struct msgb *sched_select_ctrl_msg( } } + if (!tbf) + return NULL; + /* any message */ if (msg) { tbf->rotate_in_list(); |