[S] Change in libosmo-gprs[master]: rlcmac: tbf_dl: Fix msgb null ptr access if dl block contains several...

Tue, 21 Feb 2023 02:31:33 -0800 

pespin has uploaded this change for review. ( 
https://gerrit.osmocom.org/c/libosmo-gprs/+/31436 )


Change subject: rlcmac: tbf_dl: Fix msgb null ptr access if dl block contains 
several LLC frames
......................................................................

rlcmac: tbf_dl: Fix msgb null ptr access if dl block contains several LLC frames

Fixes: Coverity CID#310023
Change-Id: I627724fda5b9ffcf13433ea69af908d725e94299
---
M src/rlcmac/tbf_dl.c
1 file changed, 23 insertions(+), 13 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/libosmo-gprs refs/changes/36/31436/1

diff --git a/src/rlcmac/tbf_dl.c b/src/rlcmac/tbf_dl.c
index 7fb4be9..3861cae 100644
--- a/src/rlcmac/tbf_dl.c
+++ b/src/rlcmac/tbf_dl.c
@@ -154,29 +154,29 @@
        uint8_t len = blk->len;
        const struct gprs_rlcmac_rlc_block_info *rdbi = &blk->block_info;
        enum gprs_rlcmac_coding_scheme cs = blk->cs_last;
-       struct osmo_gprs_rlcmac_prim *rlcmac_prim;
-
-       struct gprs_rlcmac_rlc_llc_chunk frames[16], *frame;
+       struct gprs_rlcmac_rlc_llc_chunk frames[16];
        int i, num_frames = 0;
        int rc = 0;

        LOGPTBFDL(dl_tbf, LOGL_DEBUG, "Assembling frames: (len=%d)\n", len);

-       if (!dl_tbf->llc_rx_msg) {
-               rlcmac_prim = gprs_rlcmac_prim_alloc_grr_unitdata_ind(
-                               dl_tbf->tbf.gre->tlli, NULL, 
GPRS_RLCMAC_LLC_PDU_MAX_LEN);
-               dl_tbf->llc_rx_msg = rlcmac_prim->oph.msg;
-               dl_tbf->llc_rx_msg->l3h = dl_tbf->llc_rx_msg->tail;
-       } else {
-               rlcmac_prim = msgb_rlcmac_prim(dl_tbf->llc_rx_msg);
-       }
-
        num_frames = gprs_rlcmac_rlc_data_from_dl_data(rdbi, cs, data,
                                                       &frames[0], 
ARRAY_SIZE(frames));

        /* create LLC frames */
        for (i = 0; i < num_frames; i++) {
-               frame = frames + i;
+               struct gprs_rlcmac_rlc_llc_chunk *frame = &frames[i];
+               struct osmo_gprs_rlcmac_prim *rlcmac_prim;
+
+               if (!dl_tbf->llc_rx_msg) {
+                       rlcmac_prim = 
gprs_rlcmac_prim_alloc_grr_unitdata_ind(dl_tbf->tbf.gre->tlli,
+                                                                             
NULL,
+                                                                             
GPRS_RLCMAC_LLC_PDU_MAX_LEN);
+                       dl_tbf->llc_rx_msg = rlcmac_prim->oph.msg;
+                       dl_tbf->llc_rx_msg->l3h = dl_tbf->llc_rx_msg->tail;
+               } else {
+                       rlcmac_prim = msgb_rlcmac_prim(dl_tbf->llc_rx_msg);
+               }

                if (frame->length) {
                        LOGPTBFDL(dl_tbf, LOGL_DEBUG, "Frame %d "

--
To view, visit https://gerrit.osmocom.org/c/libosmo-gprs/+/31436
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: libosmo-gprs
Gerrit-Branch: master
Gerrit-Change-Id: I627724fda5b9ffcf13433ea69af908d725e94299
Gerrit-Change-Number: 31436
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <[email protected]>
Gerrit-MessageType: newchange

Reply via email to