From 6fe33fd6d43bf51da18ffa9ec9b2a944cd3e16de Mon Sep 17 00:00:00 2001 From: Vadim Yanitskiy Date: Wed, 8 Mar 2023 02:41:54 +0700 Subject: [PATCH] trxcon: do not crash on receipt of 8-PSK modulated bursts TRXDv0 PDUs may have 2 additional dummy bytes at the end. Such a PDU will crash trxcon if it contains an 8-PSK modulated burst: Assert failed phybi->burst_len <= sizeof(bi.burst) In this case phybi->burst_len would be 444 + 2, while size of the burst buffer in struct l1sched_burst_ind is limited to the length of an 8-PSK modulated burst (444). Change-Id: Icfba986ccf0c696ba019b91575b4d69db001c14f --- src/host/trxcon/src/trx_if.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/src/host/trxcon/src/trx_if.c b/src/host/trxcon/src/trx_if.c index 50c5c897a..330fd62bb 100644 --- a/src/host/trxcon/src/trx_if.c +++ b/src/host/trxcon/src/trx_if.c @@ -645,9 +645,9 @@ static int trx_data_rx_cb(struct osmo_fd *ofd, unsigned int what) return read_len; } - if (read_len < (TRXDv0_HDR_LEN + GSM_NBITS_NB_GMSK_BURST)) { + if (read_len < TRXDv0_HDR_LEN) { LOGPFSMSL(trx->fi, DTRXD, LOGL_ERROR, - "Got data message with invalid length '%zd'\n", read_len); + "Got malformed TRXD PDU (short length=%zd)\n", read_len); return -EINVAL; } @@ -657,6 +657,22 @@ static int trx_data_rx_cb(struct osmo_fd *ofd, unsigned int what) return -ENOTSUP; } + read_len -= TRXDv0_HDR_LEN; + switch (read_len) { + /* TRXDv0 PDUs may have 2 dummy bytes at the end */ + case GSM_NBITS_NB_GMSK_BURST + 2: + case GSM_NBITS_NB_8PSK_BURST + 2: + read_len -= 2; + break; + case GSM_NBITS_NB_GMSK_BURST: + case GSM_NBITS_NB_8PSK_BURST: + break; + default: + LOGPFSMSL(trx->fi, DTRXD, LOGL_ERROR, + "Got TRXD PDU unexpected burst length=%zd\n", read_len); + return -EINVAL; + } + burst = (sbit_t *)&buf[8]; bi = (struct trxcon_phyif_burst_ind) { @@ -665,7 +681,7 @@ static int trx_data_rx_cb(struct osmo_fd *ofd, unsigned int what) .rssi = -(int8_t) buf[5], .toa256 = (int16_t) (buf[6] << 8) | buf[7], .burst = burst, /* at least GSM_NBITS_NB_GMSK_BURST */ - .burst_len = read_len - TRXDv0_HDR_LEN, + .burst_len = read_len, }; /* Convert ubits {254..0} to sbits {-127..127} in-place */