[S] Change in osmocom-bb[master]: trxcon: do not crash on receipt of 8-PSK modulated bursts

Tue, 07 Mar 2023 11:53:40 -0800 

fixeria has uploaded this change for review. ( 
https://gerrit.osmocom.org/c/osmocom-bb/+/31739 )


Change subject: trxcon: do not crash on receipt of 8-PSK modulated bursts
......................................................................

trxcon: do not crash on receipt of 8-PSK modulated bursts

TRXDv0 PDUs may have 2 additional dummy bytes at the end.  Such
a PDU will crash trxcon if it contains an 8-PSK modulated burst:

  Assert failed phybi->burst_len <= sizeof(bi.burst)

In this case phybi->burst_len would be 444 + 2, while size of the
burst buffer in struct l1sched_burst_ind is limited to the length
of an 8-PSK modulated burst (444).

Change-Id: Icfba986ccf0c696ba019b91575b4d69db001c14f
---
M src/host/trxcon/src/trx_if.c
1 file changed, 37 insertions(+), 3 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmocom-bb refs/changes/39/31739/1

diff --git a/src/host/trxcon/src/trx_if.c b/src/host/trxcon/src/trx_if.c
index 50c5c89..330fd62 100644
--- a/src/host/trxcon/src/trx_if.c
+++ b/src/host/trxcon/src/trx_if.c
@@ -645,9 +645,9 @@
                return read_len;
        }

-       if (read_len < (TRXDv0_HDR_LEN + GSM_NBITS_NB_GMSK_BURST)) {
+       if (read_len < TRXDv0_HDR_LEN) {
                LOGPFSMSL(trx->fi, DTRXD, LOGL_ERROR,
-                         "Got data message with invalid length '%zd'\n", 
read_len);
+                         "Got malformed TRXD PDU (short length=%zd)\n", 
read_len);
                return -EINVAL;
        }

@@ -657,6 +657,22 @@
                return -ENOTSUP;
        }

+       read_len -= TRXDv0_HDR_LEN;
+       switch (read_len) {
+       /* TRXDv0 PDUs may have 2 dummy bytes at the end */
+       case GSM_NBITS_NB_GMSK_BURST + 2:
+       case GSM_NBITS_NB_8PSK_BURST + 2:
+               read_len -= 2;
+               break;
+       case GSM_NBITS_NB_GMSK_BURST:
+       case GSM_NBITS_NB_8PSK_BURST:
+               break;
+       default:
+               LOGPFSMSL(trx->fi, DTRXD, LOGL_ERROR,
+                         "Got TRXD PDU unexpected burst length=%zd\n", 
read_len);
+               return -EINVAL;
+       }
+
        burst = (sbit_t *)&buf[8];

        bi = (struct trxcon_phyif_burst_ind) {
@@ -665,7 +681,7 @@
                .rssi = -(int8_t) buf[5],
                .toa256 = (int16_t) (buf[6] << 8) | buf[7],
                .burst = burst, /* at least GSM_NBITS_NB_GMSK_BURST */
-               .burst_len = read_len - TRXDv0_HDR_LEN,
+               .burst_len = read_len,
        };

        /* Convert ubits {254..0} to sbits {-127..127} in-place */

--
To view, visit https://gerrit.osmocom.org/c/osmocom-bb/+/31739
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: osmocom-bb
Gerrit-Branch: master
Gerrit-Change-Id: Icfba986ccf0c696ba019b91575b4d69db001c14f
Gerrit-Change-Number: 31739
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <[email protected]>
Gerrit-MessageType: newchange

Reply via email to