pdcp_entity_lte: fix printf formatter for size_t

we've seen a heap-buffer overflow in fmt because printf wasn't using the right formtter for size_t, which should be %zu this patch fixes it for the PDCP LTE entity but we might have it elsewhere too [1m[31m==7595==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000e6f1fc at pc 0x562273a45289 bp 0x7f35567641f0 sp 0x7f35567641e0 [1m[0m[1m[34mREAD of size 4 at 0x629000e6f1fc thread T12 (STACK)[1m[0m 0 0x562273a45288 in fmt::v7::basic_format_arg<fmt::v7::basic_printf_context<std::back_insert_iterator<fmt::v7::detail::buffer<char> >, char> > fmt::v7::detail::make_arg<fmt::v7::basic_printf_context<std::back_insert_iterator<fmt::v7::detail::buffer<char> >, char>, unsigned int>(unsigned int const&) (/osmo-gsm-tester-srsue/srslte/bin/srsue+0x9dc288) 1 0x562273a3aa86 in void fmt::v7::dynamic_format_arg_store<fmt::v7::basic_printf_context<std::back_insert_iterator<fmt::v7::detail::buffer<char> >, char> >::emplace_arg<unsigned int>(unsigned int const&) (/osmo-gsm-tester-srsue/srslte/bin/srsue+0x9d1a86) 2 0x562273a308e7 in void fmt::v7::dynamic_format_arg_store<fmt::v7::basic_printf_context<std::back_insert_iterator<fmt::v7::detail::buffer<char> >, char> >::push_back<unsigned int>(unsigned int const&) /mnt/data/jenkins/workspace/srslte_ogt_trial_builder_x86-ubuntu1804-asan/srsLTE/lib/include/srslte/srslog/bundled/fmt/core.h:1548 3 0x562274361541 in void srslog::log_channel::operator()<unsigned int&, unsigned int&, unsigned long>(char const*, unsigned int&, unsigned int&, unsigned long&&) /mnt/data/jenkins/workspace/srslte_ogt_trial_builder_x86-ubuntu1804-asan/srsLTE/lib/include/srslte/srslog/log_channel.h:101 4 0x56227430d9e7 in srslte::pdcp_entity_lte::update_rx_counts_queue(unsigned int) /mnt/data/jenkins/workspace/srslte_ogt_trial_builder_x86-ubuntu1804-asan/srsLTE/lib/src/upper/pdcp_entity_lte.cc:451
4 years ago · 47654af717
parent d646111aa9
commit 47654af717
1 changed files with 7 additions and 7 deletions
--- a/lib/src/upper/pdcp_entity_lte.cc
+++ b/lib/src/upper/pdcp_entity_lte.cc
@ -439,7 +439,7 @@ void pdcp_entity_lte::update_rx_counts_queue(uint32_t rx_count)
  // If the size of the rx_vector_info is getting very large
  // Consider the FMC as lost and update the vector.
  if (rx_counts_info.size() > reordering_window) {
-    logger.debug("Queue too large. Updating. Old FMC=%d, Old back=%d, old queue_size=%d",
+    logger.debug("Queue too large. Updating. Old FMC=%d, Old back=%d, old queue_size=%zu",
                 fmc,
                 rx_counts_info.back(),
                 rx_counts_info.size());
@ -448,16 +448,16 @@ void pdcp_entity_lte::update_rx_counts_queue(uint32_t rx_count)
      rx_counts_info.pop_back();
      fmc++;
    }
-    logger.debug("Queue too large. Updating. New FMC=%d, new back=%d, new queue_size=%d",
+    logger.debug("Queue too large. Updating. New FMC=%d, new back=%d, new queue_size=%zu",
                 fmc,
                 rx_counts_info.back(),
                 rx_counts_info.size());
  }

  if (rx_counts_info.empty()) {
-    logger.info("Updated RX_COUNT info with SDU COUNT=%d, queue_size=%d, FMC=%d", rx_count, rx_counts_info.size(), fmc);
+    logger.info("Updated RX_COUNT info with SDU COUNT=%d, queue_size%zu, FMC=%d", rx_count, rx_counts_info.size(), fmc);
  } else {
-    logger.info("Updated RX_COUNT info with SDU COUNT=%d, queue_size=%d, FMC=%d, back=%d",
+    logger.info("Updated RX_COUNT info with SDU COUNT=%d, queue_size=%zu, FMC=%d, back=%d",
                rx_count,
                rx_counts_info.size(),
                fmc,
@ -707,7 +707,7 @@ void pdcp_entity_lte::notify_delivery(const pdcp_sn_vector_t& pdcp_sns)
    return;
  }

-  logger.info("Received delivery notification from RLC. Number of PDU notified=%ld", pdcp_sns.size());
+  logger.info("Received delivery notification from RLC. Number of PDU notified=%zu", pdcp_sns.size());
  for (uint32_t sn : pdcp_sns) {
    logger.debug("Delivery notification received for PDU with SN=%d", sn);
    if (sn == UINT32_MAX) {
@ -737,7 +737,7 @@ void pdcp_entity_lte::notify_failure(const pdcp_sn_vector_t& pdcp_sns)
    return;
  }

-  logger.info("Received failure notification from RLC. Number of PDU notified=%ld", pdcp_sns.size());
+  logger.info("Received failure notification from RLC. Number of PDU notified=%zu", pdcp_sns.size());

  for (uint32_t sn : pdcp_sns) {
    logger.info("Failure notification received for PDU with SN=%d", sn);
@ -800,7 +800,7 @@ std::map<uint32_t, srslte::unique_byte_buffer_t> pdcp_entity_lte::get_buffered_p
    logger.error("Buffered PDUs being requested for non-AM DRB");
    return std::map<uint32_t, srslte::unique_byte_buffer_t>{};
  }
-  logger.info("Buffered PDUs requested, buffer_size=%d", undelivered_sdus->size());
+  logger.info("Buffered PDUs requested, buffer_size=%zu", undelivered_sdus->size());
  return undelivered_sdus->get_buffered_sdus();
 }