diff options
author | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | 2024-05-23 08:50:00 +0700 |
---|---|---|
committer | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | 2024-05-23 08:50:54 +0700 |
commit | d70e8a6de72c361870bd9202110dac933d91992f (patch) | |
tree | 76e0296aa414ebc70316cd31dc5124d3653ec5b5 /src/host/trxcon/src | |
parent | 7c00190b45205c2f1d2d8e708c1f6e9dd621ff69 (diff) |
trxcon/l1sched: fix NULL pointer dereference in tx_tch[fh]_fn()
If msg is NULL, we're inducing a BFI condition at the BTS side receiver
by sending a TCH/A[FH]S block with invalid CRC6. In this case we need
to skip the rest of the function and jump to send_burst immediately.
Change-Id: I159b2ed455377c77d8764f9320efd15333129afb
Fixes: 7c00190b "trxcon/l1sched: fix sending dummy TCH/A[FH]S blocks"
Fixes: CID#368538
Diffstat (limited to 'src/host/trxcon/src')
-rw-r--r-- | src/host/trxcon/src/sched_lchan_tchf.c | 2 | ||||
-rw-r--r-- | src/host/trxcon/src/sched_lchan_tchh.c | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/src/host/trxcon/src/sched_lchan_tchf.c b/src/host/trxcon/src/sched_lchan_tchf.c index d11b3146..7cc1856a 100644 --- a/src/host/trxcon/src/sched_lchan_tchf.c +++ b/src/host/trxcon/src/sched_lchan_tchf.c @@ -321,6 +321,8 @@ int tx_tchf_fn(struct l1sched_lchan_state *lchan, lchan->amr.codecs, lchan->amr.ul_ft, lchan->amr.ul_cmr); + if (msg == NULL) + goto send_burst; break; } /* CSD (TCH/F14.4): 14.5 kbit/s radio interface rate */ diff --git a/src/host/trxcon/src/sched_lchan_tchh.c b/src/host/trxcon/src/sched_lchan_tchh.c index 0d3de003..6c88d190 100644 --- a/src/host/trxcon/src/sched_lchan_tchh.c +++ b/src/host/trxcon/src/sched_lchan_tchh.c @@ -528,6 +528,8 @@ int tx_tchh_fn(struct l1sched_lchan_state *lchan, lchan->amr.codecs, lchan->amr.ul_ft, lchan->amr.ul_cmr); + if (msg == NULL) + goto send_burst; break; } /* CSD (TCH/H4.8): 6.0 kbit/s radio interface rate */ |