From 580ce3e29873f6f73ac9c97cdf26075958ae136a Mon Sep 17 00:00:00 2001 From: Andre Puschmann Date: Fri, 5 Oct 2018 12:17:44 +0200 Subject: [PATCH] add extra length check for RLC UM --- lib/src/upper/rlc_tm.cc | 2 +- lib/src/upper/rlc_um.cc | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/src/upper/rlc_tm.cc b/lib/src/upper/rlc_tm.cc index 14cfe37ea..e006072c6 100644 --- a/lib/src/upper/rlc_tm.cc +++ b/lib/src/upper/rlc_tm.cc @@ -153,7 +153,7 @@ int rlc_tm::read_pdu(uint8_t *payload, uint32_t nof_bytes) { uint32_t pdu_size = ul_queue.size_tail_bytes(); if (pdu_size > nof_bytes) { - log->error("TX %s PDU size larger than MAC opportunity\n", rrc->get_rb_name(lcid).c_str()); + log->error("TX %s PDU size larger than MAC opportunity (%d > %d)\n", rrc->get_rb_name(lcid).c_str(), pdu_size, nof_bytes); return -1; } byte_buffer_t *buf; diff --git a/lib/src/upper/rlc_um.cc b/lib/src/upper/rlc_um.cc index 4fee0e7b6..24e66389c 100644 --- a/lib/src/upper/rlc_um.cc +++ b/lib/src/upper/rlc_um.cc @@ -774,6 +774,11 @@ void rlc_um::rlc_um_rx::reassemble_rx_sdus() if (rx_sdu->N_bytes == 0 && i == 0 && !rlc_um_start_aligned(rx_window[vr_ur].header.fi)) { log->warning_hex(rx_window[vr_ur].buf->msg, len, "Dropping first %d B of SN %d due to lost start segment\n", len, vr_ur); + if (rx_window[vr_ur].buf->N_bytes < len) { + log->error("Dropping remaining remainder of SN %d too (N_bytes=%u < len=%d)\n", vr_ur, rx_window[vr_ur].buf->N_bytes, len); + goto clean_up_rx_window; + } + // Advance data pointers and continue with next segment rx_window[vr_ur].buf->msg += len; rx_window[vr_ur].buf->N_bytes -= len;