From 732a1089827c0973da2a8be371d31a11e3fd3a26 Mon Sep 17 00:00:00 2001 From: Andre Puschmann Date: Sat, 2 Jan 2021 18:02:10 +0100 Subject: [PATCH] mac: convert rar_pdu_msg[] from vector into array and protect access attempt to address ASAN detected issue: RACH: tti=821, cc=3, preamble=11, offset=0, temp_crnti=0x47 ASAN:DEADLYSIGNAL ================================================================= m==25385==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000024 (pc 0x564b19a26c93 bp 0x7fa0e5f1a8c0 sp 0x7fa0e5f1a798 T8) ==25385==The signal is caused by a WRITE memory access. ==25385==Hint: address points to the zero page. ------DL--------------------------------UL------------------------------------ rnti cqi ri mcs brate ok nok (%) snr phr mcs brate ok nok (%) bsr 46 0.10 0 0.0 0 0 0 0% 0 0.0 0 0 0 0 0% 0.0 47 0.10 0 0.0 0 0 0 0% 0 0.0 0 0 0 0 0% 0.0 #0 0x564b19a26c92 in srslte::rar_subh::set_ta_cmd(unsigned int) /mnt/data/jenkins/workspace/srslte_ogt_manual_zmq/srsLTE/lib/src/mac/pdu.cc:1136 #1 0x564b19577f7e in srsenb::mac::assemble_rar(srsenb::sched_interface::dl_sched_rar_grant_t*, unsigned int, int, unsigned int, unsigned int) /mnt/data/jenkins/workspace/srslte_ogt_manual_zmq/srsLTE/srsenb/src/stack/mac/mac.cc:837 #2 0x564b19591765 in srsenb::mac::get_dl_sched(unsigned int, std::vector >&) /mnt/data/jenkins/workspace/srslte_ogt_manual_zmq/srsLTE/srsenb/src/stack/mac/mac.cc:653 #3 0x564b19497ee2 in srsenb::lte::sf_worker::work_imp() /mnt/data/jenkins/workspace/srslte_ogt_manual_zmq/srsLTE/srsenb/src/phy/lte/sf_worker.cc:208 #4 0x564b199f8db4 in --- srsenb/hdr/stack/mac/mac.h | 4 ++-- srsenb/src/stack/mac/mac.cc | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/srsenb/hdr/stack/mac/mac.h b/srsenb/hdr/stack/mac/mac.h index 06b4b4619..6f6a72a08 100644 --- a/srsenb/hdr/stack/mac/mac.h +++ b/srsenb/hdr/stack/mac/mac.h @@ -140,12 +140,12 @@ private: uint8_t* assemble_rar(sched_interface::dl_sched_rar_grant_t* grants, uint32_t nof_grants, - int rar_idx, + uint32_t rar_idx, uint32_t pdu_len, uint32_t tti); const static int rar_payload_len = 128; - std::vector rar_pdu_msg; + std::array rar_pdu_msg; srslte::byte_buffer_t rar_payload[sched_interface::MAX_RAR_LIST]; const static int NOF_BCCH_DLSCH_MSG = sched_interface::MAX_SIBS; diff --git a/srsenb/src/stack/mac/mac.cc b/srsenb/src/stack/mac/mac.cc index d7ce68e09..163cd4f17 100644 --- a/srsenb/src/stack/mac/mac.cc +++ b/srsenb/src/stack/mac/mac.cc @@ -28,7 +28,6 @@ using namespace asn1::rrc; namespace srsenb { mac::mac(srslte::ext_task_sched_handle task_sched_) : - rar_pdu_msg(sched_interface::MAX_RAR_LIST), rar_payload(), common_buffers(SRSLTE_MAX_CARRIERS), task_sched(task_sched_) @@ -821,12 +820,12 @@ int mac::get_mch_sched(uint32_t tti, bool is_mcch, dl_sched_list_t& dl_sched_res uint8_t* mac::assemble_rar(sched_interface::dl_sched_rar_grant_t* grants, uint32_t nof_grants, - int rar_idx, + uint32_t rar_idx, uint32_t pdu_len, uint32_t tti) { uint8_t grant_buffer[64] = {}; - if (pdu_len < rar_payload_len) { + if (pdu_len < rar_payload_len && rar_idx < rar_pdu_msg.size()) { srslte::rar_pdu* pdu = &rar_pdu_msg[rar_idx]; rar_payload[rar_idx].clear(); pdu->init_tx(&rar_payload[rar_idx], pdu_len); @@ -842,7 +841,7 @@ uint8_t* mac::assemble_rar(sched_interface::dl_sched_rar_grant_t* grants, pdu->write_packet(rar_payload[rar_idx].msg); return rar_payload[rar_idx].msg; } else { - Error("Assembling RAR: pdu_len > rar_payload_len (%d>%d)\n", pdu_len, rar_payload_len); + Error("Assembling RAR: rar_idx=%d, pdu_len > rar_payload_len (%d>%d)\n", rar_idx, pdu_len, rar_payload_len); return nullptr; } }