osmo-bts-{sysmo,lc15,oc2g}: fix segfault in ph_tch_req()

ph_tch_req() is a recursive function and conditionally calls itself at the very bottom. The recursive call happens iff all of the following conditions are met: * DTXd is enabled, * AMR codec is in use, * DTX DL AMR FSM state is recursive. The problem is that ph_tch_req() may pull sizeof(*lsap) from the given msgb twice: during the initial and the recursive calls. The second attempt to pull sizeof(*lsap) causes the process to abort, because the remaining room is less than it's attempting to pull. AFAICT, doing msgb_pull() is not really necessary, given that l1sap_tch_rts_ind() thankfully does set msg->l2h before pushing the lsap header in front of the actual frame. Update osmo-bts-sysmo and its copy-pasted siblings, which are likely affected too, except osmo-bts-octphy which does not do the recursion. Change-Id: Ib349b74a9e4bd48c902286f872d3b0e9a068256c Related: OS#5925
2023-03-21 05:42:02 +07:00 · 2023-03-21 05:42:02 +07:00 · e464ef6524
parent dbd70bca75
commit e464ef6524
4 changed files with 4 additions and 8 deletions
--- a/src/osmo-bts-lc15/l1_if.c
+++ b/src/osmo-bts-lc15/l1_if.c
@ -508,7 +508,6 @@ static int ph_tch_req(struct gsm_bts_trx *trx, struct msgb *msg,

 	/* create new message and fill data */
 	if (msg) {
-		msgb_pull(msg, sizeof(*l1sap));
 		/* create new message */
 		nmsg = l1p_msgb_alloc();
 		if (!nmsg)
@ -517,7 +516,7 @@ static int ph_tch_req(struct gsm_bts_trx *trx, struct msgb *msg,
 		rc = l1if_tch_encode(lchan,
 				     l1p->u.phDataReq.msgUnitParam.u8Buffer,
 				     &l1p->u.phDataReq.msgUnitParam.u8Size,
-				     msg->data, msg->len, u32Fn, use_cache,
+				     msgb_l2(msg), msgb_l2len(msg), u32Fn, use_cache,
 				     l1sap->u.tch.marker);
 		if (rc < 0) {
 		/* no data encoded for L1: smth will be generated below */
--- a/src/osmo-bts-oc2g/l1_if.c
+++ b/src/osmo-bts-oc2g/l1_if.c
@ -561,7 +561,6 @@ static int ph_tch_req(struct gsm_bts_trx *trx, struct msgb *msg,

 	/* create new message and fill data */
 	if (msg) {
-		msgb_pull(msg, sizeof(*l1sap));
 		/* create new message */
 		nmsg = l1p_msgb_alloc();
 		if (!nmsg)
@ -570,7 +569,7 @@ static int ph_tch_req(struct gsm_bts_trx *trx, struct msgb *msg,
 		rc = l1if_tch_encode(lchan,
 				     l1p->u.phDataReq.msgUnitParam.u8Buffer,
 				     &l1p->u.phDataReq.msgUnitParam.u8Size,
-				     msg->data, msg->len, u32Fn, use_cache,
+				     msgb_l2(msg), msgb_l2len(msg), u32Fn, use_cache,
 				     l1sap->u.tch.marker);
 		if (rc < 0) {
 		/* no data encoded for L1: smth will be generated below */
--- a/src/osmo-bts-octphy/l1_if.c
+++ b/src/osmo-bts-octphy/l1_if.c
@ -593,7 +593,6 @@ static int ph_tch_req(struct gsm_bts_trx *trx, struct msgb *msg,
 			return -ENOMEM;
 		}

-		msgb_pull(msg, sizeof(*l1sap));
 		tOCTVC1_GSM_MSG_TRX_REQUEST_LOGICAL_CHANNEL_DATA_CMD *data_req =
 			(tOCTVC1_GSM_MSG_TRX_REQUEST_LOGICAL_CHANNEL_DATA_CMD *)
 			msgb_put(nmsg, sizeof(*data_req));
@ -615,7 +614,7 @@ static int ph_tch_req(struct gsm_bts_trx *trx, struct msgb *msg,
 				&data_req->Data.ulPayloadType,
 				data_req->Data.abyDataContent,
 				&data_req->Data.ulDataLength,
-				msg->data, msg->len);
+				msgb_l2(msg), msgb_l2len(msg));

 		mOCTVC1_GSM_MSG_TRX_REQUEST_LOGICAL_CHANNEL_DATA_CMD_SWAP(data_req);
 	} else {
--- a/src/osmo-bts-sysmo/l1_if.c
+++ b/src/osmo-bts-sysmo/l1_if.c
@ -505,7 +505,6 @@ static int ph_tch_req(struct gsm_bts_trx *trx, struct msgb *msg,

 	/* create new message and fill data */
 	if (msg) {
-		msgb_pull(msg, sizeof(*l1sap));
 		/* create new message */
 		nmsg = l1p_msgb_alloc();
 		if (!nmsg)
@ -514,7 +513,7 @@ static int ph_tch_req(struct gsm_bts_trx *trx, struct msgb *msg,
 		rc = l1if_tch_encode(lchan,
 				     l1p->u.phDataReq.msgUnitParam.u8Buffer,
 				     &l1p->u.phDataReq.msgUnitParam.u8Size,
-				     msg->data, msg->len, u32Fn, use_cache,
+				     msgb_l2(msg), msgb_l2len(msg), u32Fn, use_cache,
 				     l1sap->u.tch.marker);
 		if (rc < 0) {
 		/* no data encoded for L1: smth will be generated below */