From 71fd42fedea933f8e93c625435c3835ccfe4c0a1 Mon Sep 17 00:00:00 2001
From: Sylvain Munaut <tnt@246tNt.com>
Date: Thu, 1 Sep 2011 22:05:29 +0200
Subject: [PATCH] gsm/gsm48_ie: Fix Range 256 format decoding

From the mail:

---
appended is another patch for fixing a bug in the calculation of the
frequency lists. This time the patch is for the "Range 256 format".
The problem is that the operand for the "smod" operation might be
negative, in this case the simplified version won't work as expected.

In the patch I introduced a separate function for "smod" which takes
care of the sign. I have not yet checked if the other formats are also
affected, this would be the case if the "smod" operand can be negative.

There might be other solutions to fix the problem without the need
for a separate function, however I have not thought further about it.

A test vector is the following frequency list ("Range 256 format",
first byte is the length):

 09 8b 1c 83 8c 15 ef 02 2d 30

The correct ARFCNs are

 569 571 576 578 586 608 712 715 719

The uncorrected version would instead return:

 444 457 460 464 569 576 578 586 608

This means four ARFCNs are wrong which will cause problems if for
example the frequency list contains the ARFCNs for hopping.
----

Written-by: Dieter Spaar <spaar@mirider.augusta.de>
Signed-off-by: Sylvain Munaut <tnt@246tNt.com>
---
 src/gsm/gsm48_ie.c | 55 +++++++++++++++++++++++++++++-----------------
 1 file changed, 35 insertions(+), 20 deletions(-)

diff --git a/src/gsm/gsm48_ie.c b/src/gsm/gsm48_ie.c
index 863e63652..2a9a01003 100644
--- a/src/gsm/gsm48_ie.c
+++ b/src/gsm/gsm48_ie.c
@@ -659,6 +659,21 @@ int gsm48_encode_more(struct msgb *msg)
 	return 0;
 }
 
+static int32_t smod(int32_t n, int32_t m)
+{
+	int32_t res;
+
+	res = n % m;
+
+	if(res < 0)
+		res += m;
+
+	if(res == 0)
+		res = m;
+
+	return res;
+}
+
 /* decode "Cell Channel Description" (10.5.2.1b) and other frequency lists */
 int gsm48_decode_freq_list(struct gsm_sysinfo_freq *f, uint8_t *cd,
 			   uint8_t len, uint8_t mask, uint8_t frqt)
@@ -907,45 +922,45 @@ int gsm48_decode_freq_list(struct gsm_sysinfo_freq *f, uint8_t *cd,
 		if (w[1])
 			f[(w[0] + w[1]) % 1024].mask |= frqt;
 		if (w[2])
-			f[(w[0] + ((w[1] - 128 + w[2] - 1) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1] - 128 + w[2], 255)) % 1024].mask |= frqt;
 		if (w[3])
-			f[(w[0] + ((w[1]       + w[3] - 1) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1]       + w[3], 255)) % 1024].mask |= frqt;
 		if (w[4])
-			f[(w[0] + ((w[1] - 128 + ((w[2] - 64 + w[4] - 1) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1] - 128 + smod(w[2] - 64 + w[4], 127), 255)) % 1024].mask |= frqt;
 		if (w[5])
-			f[(w[0] + ((w[1]       + ((w[3] - 64 + w[5] - 1) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1]       + smod(w[3] - 64 + w[5], 127), 255)) % 1024].mask |= frqt;
 		if (w[6])
-			f[(w[0] + ((w[1] - 128 + ((w[2]      + w[6] - 1) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1] - 128 + smod(w[2]      + w[6], 127), 255)) % 1024].mask |= frqt;
 		if (w[7])
-			f[(w[0] + ((w[1]       + ((w[3]      + w[7] - 1) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1]       + smod(w[3]      + w[7], 127), 255)) % 1024].mask |= frqt;
 		if (w[8])
-			f[(w[0] + ((w[1] - 128 + ((w[2] - 64 + ((w[4] - 32 + w[8] - 1) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1] - 128 + smod(w[2] - 64 + smod(w[4] - 32 + w[8], 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[9])
-			f[(w[0] + ((w[1]       + ((w[3] - 64 + ((w[5] - 32 + w[9] - 1) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1]       + smod(w[3] - 64 + smod(w[5] - 32 + w[9], 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[10])
-			f[(w[0] + ((w[1] - 128 + ((w[2]      + ((w[6] - 32 + w[10] - 1) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1] - 128 + smod(w[2]      + smod(w[6] - 32 + w[10], 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[11])
-			f[(w[0] + ((w[1]       + ((w[3]      + ((w[7] - 32 + w[11] - 1) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1]       + smod(w[3]      + smod(w[7] - 32 + w[11], 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[12])
-			f[(w[0] + ((w[1] - 128 + ((w[2] - 64 + ((w[4]      + w[12] - 1) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1] - 128 + smod(w[2] - 64 + smod(w[4]      + w[12], 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[13])
-			f[(w[0] + ((w[1]       + ((w[3] - 64 + ((w[5]      + w[13] - 1) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1]       + smod(w[3] - 64 + smod(w[5]      + w[13], 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[14])
-			f[(w[0] + ((w[1] - 128 + ((w[2]      + ((w[6]      + w[14] - 1) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1] - 128 + smod(w[2]      + smod(w[6]      + w[14], 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[15])
-			f[(w[0] + ((w[1]       + ((w[3]      + ((w[7]      + w[15] - 1) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1]       + smod(w[3]      + smod(w[7]      + w[15], 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[16])
-			f[(w[0] + ((w[1] - 128 + ((w[2] - 64 + ((w[4] - 32 + ((w[8] - 16 + w[16] - 1) % 31)) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1] - 128 + smod(w[2] - 64 + smod(w[4] - 32 + smod(w[8] - 16 + w[16], 31), 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[17])
-			f[(w[0] + ((w[1]       + ((w[3] - 64 + ((w[5] - 32 + ((w[9] - 16 + w[17] - 1) % 31)) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1]       + smod(w[3] - 64 + smod(w[5] - 32 + smod(w[9] - 16 + w[17], 31), 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[18])
-			f[(w[0] + ((w[1] - 128 + ((w[2]      + ((w[6] - 32 + ((w[10] - 16 + w[18] - 1) % 31)) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1] - 128 + smod(w[2]      + smod(w[6] - 32 + smod(w[10] - 16 + w[18], 31), 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[19])
-			f[(w[0] + ((w[1]       + ((w[3]      + ((w[7] - 32 + ((w[11] - 16 + w[19] - 1) % 31)) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1]       + smod(w[3]      + smod(w[7] - 32 + smod(w[11] - 16 + w[19], 31), 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[20])
-			f[(w[0] + ((w[1] - 128 + ((w[2] - 64 + ((w[4]      + ((w[12] - 16 + w[20] - 1) % 31)) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1] - 128 + smod(w[2] - 64 + smod(w[4]      + smod(w[12] - 16 + w[20], 31), 63), 127), 255)) % 1024].mask |= frqt;
 		if (w[21])
-			f[(w[0] + ((w[1]       + ((w[3] - 64 + ((w[5]      + ((w[13] - 16 + w[21] - 1) % 31)) % 63)) % 127)) % 255) + 1) % 1024].mask |= frqt;
+			f[(w[0] + smod(w[1]       + smod(w[3] - 64 + smod(w[5]      + smod(w[13] - 16 + w[21], 31), 63), 127), 255)) % 1024].mask |= frqt;
 
 		return 0;
 	}