layer1: fix chan_nr2mf_task_mask for TCH/H channel

"multiframe", the frame layout (used to compute neighbor
cell monitoring pattern) was uninitialized in TCH/H case.

This, in combination with gcc optimizing the
"switch(multiframe)"-statement into a LUT without bounds-
checking (since using an uninitialized value is undefined
behavior) caused neigh_task to be filled with an out-of-
bounds value, eventually crashing the TDMA scheduler.

Written-by: Felix Domke <tmbinc@elitedvb.net>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/src/target/firmware/layer1/l23_api.c b/src/target/firmware/layer1/l23_api.c
index ae39e634..9a90e3aa 100644
--- a/src/target/firmware/layer1/l23_api.c
+++ b/src/target/firmware/layer1/l23_api.c
@@ -79,7 +79,7 @@ static uint32_t chan_nr2mf_task_mask(uint8_t chan_nr, uint8_t neigh_mode)
 	uint8_t lch_idx;
 	enum mframe_task master_task = 0;
 	uint32_t neigh_task = 0;
-	enum mf_type multiframe;
+	enum mf_type multiframe = 0;
 
 	if (cbits == 0x01) {
 		lch_idx = 0;
@@ -88,6 +88,7 @@ static uint32_t chan_nr2mf_task_mask(uint8_t chan_nr, uint8_t neigh_mode)
 	} else if ((cbits & 0x1e) == 0x02) {
 		lch_idx = cbits & 0x1;
 		master_task = MF_TASK_TCH_H_0 + lch_idx;
+		multiframe = (lch_idx & 1) ? MF26ODD : MF26EVEN;
 	} else if ((cbits & 0x1c) == 0x04) {
 		lch_idx = cbits & 0x3;
 		master_task = MF_TASK_SDCCH4_0 + lch_idx;