fixeria has submitted this change and it was merged. (
https://gerrit.osmocom.org/c/osmo-bts/+/14876 )
Change subject: osmo-bts-trx/scheduler: prevent uninitialized memory access
......................................................................
osmo-bts-trx/scheduler: prevent uninitialized memory access
When sending an AMR BFI, we need to call osmo_amr_rtp_enc() with
AMR_BAD as the last parameter. This function returns the length
of encoded payload, which needs to be at least 2 octets long.
If osmo_amr_rtp_enc() returns a length value lower than 2 octets
(what should not happen in general), we should neither call
memset() on it, nor call _sched_compose_tch_ind().
Change-Id: I70ce98c5697b9ce6fac7ab57a5d70f3201db29d9
Fixes: CID#178648, CID#178637, CID#178651
---
M src/osmo-bts-trx/scheduler_trx.c
1 file changed, 18 insertions(+), 6 deletions(-)
Approvals:
laforge: Looks good to me, but someone else must approve
pespin: Looks good to me, approved
Jenkins Builder: Verified
diff --git a/src/osmo-bts-trx/scheduler_trx.c b/src/osmo-bts-trx/scheduler_trx.c
index ef24119..1a60443 100644
--- a/src/osmo-bts-trx/scheduler_trx.c
+++ b/src/osmo-bts-trx/scheduler_trx.c
@@ -382,8 +382,12 @@
len = osmo_amr_rtp_enc(tch_data,
chan_state->codec[chan_state->dl_cmr],
chan_state->codec[chan_state->dl_ft], AMR_BAD);
- if (len < 2)
- break;
+ if (len < 2) {
+ LOGL1S(DL1P, LOGL_ERROR, l1t, tn, chan, fn,
+ "Failed to encode AMR_BAD frame (rc=%d),
"
+ "not sending BFI\n", len);
+ return;
+ }
memset(tch_data + 2, 0, len - 2);
_sched_compose_tch_ind(l1t, tn, fn, chan, tch_data,
len);
break;
@@ -1284,8 +1288,12 @@
chan_state->codec[chan_state->dl_cmr],
chan_state->codec[chan_state->dl_ft],
AMR_BAD);
- if (rc < 2)
- break;
+ if (rc < 2) {
+ LOGL1S(DL1P, LOGL_ERROR, l1t, bi->tn,
chan, bi->fn,
+ "Failed to encode AMR_BAD frame
(rc=%d), "
+ "not sending BFI\n", rc);
+ return -EINVAL;
+ }
memset(tch_data + 2, 0, rc - 2);
break;
default:
@@ -1477,8 +1485,12 @@
chan_state->codec[chan_state->dl_cmr],
chan_state->codec[chan_state->dl_ft],
AMR_BAD);
- if (rc < 2)
- break;
+ if (rc < 2) {
+ LOGL1S(DL1P, LOGL_ERROR, l1t, bi->tn,
chan, bi->fn,
+ "Failed to encode AMR_BAD frame
(rc=%d), "
+ "not sending BFI\n", rc);
+ return -EINVAL;
+ }
memset(tch_data + 2, 0, rc - 2);
break;
default:
--
To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/14876
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Change-Id: I70ce98c5697b9ce6fac7ab57a5d70f3201db29d9
Gerrit-Change-Number: 14876
Gerrit-PatchSet: 6
Gerrit-Owner: laforge <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <[email protected]>
Gerrit-Reviewer: laforge <[email protected]>
Gerrit-Reviewer: pespin <[email protected]>
Gerrit-MessageType: merged
