diff options
author | Felix Domke <tmbinc@elitedvb.net> | 2015-07-15 04:09:50 +0200 |
---|---|---|
committer | Sylvain Munaut <tnt@246tNt.com> | 2015-07-21 13:19:16 +0200 |
commit | 8a2e935cdb67ff93a0ec8382b41f173b216ca3b5 (patch) | |
tree | c5d36ea5d590e5f9d923d1b3a36c4c7f7a8ea9c4 /src/target/firmware/layer1 | |
parent | fc20a37cb375dac11f45b78a446237c70f00841c (diff) |
layer1: fix chan_nr2mf_task_mask for TCH/H channel
"multiframe", the frame layout (used to compute neighbor
cell monitoring pattern) was uninitialized in TCH/H case.
This, in combination with gcc optimizing the
"switch(multiframe)"-statement into a LUT without bounds-
checking (since using an uninitialized value is undefined
behavior) caused neigh_task to be filled with an out-of-
bounds value, eventually crashing the TDMA scheduler.
Written-by: Felix Domke <tmbinc@elitedvb.net>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
Diffstat (limited to 'src/target/firmware/layer1')
-rw-r--r-- | src/target/firmware/layer1/l23_api.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/target/firmware/layer1/l23_api.c b/src/target/firmware/layer1/l23_api.c index ae39e634..9a90e3aa 100644 --- a/src/target/firmware/layer1/l23_api.c +++ b/src/target/firmware/layer1/l23_api.c @@ -79,7 +79,7 @@ static uint32_t chan_nr2mf_task_mask(uint8_t chan_nr, uint8_t neigh_mode) uint8_t lch_idx; enum mframe_task master_task = 0; uint32_t neigh_task = 0; - enum mf_type multiframe; + enum mf_type multiframe = 0; if (cbits == 0x01) { lch_idx = 0; @@ -88,6 +88,7 @@ static uint32_t chan_nr2mf_task_mask(uint8_t chan_nr, uint8_t neigh_mode) } else if ((cbits & 0x1e) == 0x02) { lch_idx = cbits & 0x1; master_task = MF_TASK_TCH_H_0 + lch_idx; + multiframe = (lch_idx & 1) ? MF26ODD : MF26EVEN; } else if ((cbits & 0x1c) == 0x04) { lch_idx = cbits & 0x3; master_task = MF_TASK_SDCCH4_0 + lch_idx; |