mac: convert rar_pdu_msg[] from vector into array and protect access

attempt to address ASAN detected issue:

RACH:  tti=821, cc=3, preamble=11, offset=0, temp_crnti=0x47
ASAN:DEADLYSIGNAL
=================================================================
m==25385==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000024 (pc 0x564b19a26c93 bp 0x7fa0e5f1a8c0 sp 0x7fa0e5f1a798 T8)
==25385==The signal is caused by a WRITE memory access.
==25385==Hint: address points to the zero page.

------DL--------------------------------UL------------------------------------
rnti cqi  ri mcs brate   ok  nok  (%)  snr  phr mcs brate   ok  nok  (%)   bsr
  46 0.10   0 0.0     0    0    0   0%    0  0.0   0     0    0    0   0%   0.0
  47 0.10   0 0.0     0    0    0   0%    0  0.0   0     0    0    0   0%   0.0
    #0 0x564b19a26c92 in srslte::rar_subh::set_ta_cmd(unsigned int) /mnt/data/jenkins/workspace/srslte_ogt_manual_zmq/srsLTE/lib/src/mac/pdu.cc:1136
    #1 0x564b19577f7e in srsenb::mac::assemble_rar(srsenb::sched_interface::dl_sched_rar_grant_t*, unsigned int, int, unsigned int, unsigned int) /mnt/data/jenkins/workspace/srslte_ogt_manual_zmq/srsLTE/srsenb/src/stack/mac/mac.cc:837
    #2 0x564b19591765 in srsenb::mac::get_dl_sched(unsigned int, std::vector<srsenb::mac_interface_phy_lte::dl_sched_t, std::allocator<srsenb::mac_interface_phy_lte::dl_sched_t> >&) /mnt/data/jenkins/workspace/srslte_ogt_manual_zmq/srsLTE/srsenb/src/stack/mac/mac.cc:653
    #3 0x564b19497ee2 in srsenb::lte::sf_worker::work_imp() /mnt/data/jenkins/workspace/srslte_ogt_manual_zmq/srsLTE/srsenb/src/phy/lte/sf_worker.cc:208
    #4 0x564b199f8db4 in
master
Andre Puschmann 4 years ago
parent 2ca894df01
commit 732a108982

@ -140,12 +140,12 @@ private:
uint8_t* assemble_rar(sched_interface::dl_sched_rar_grant_t* grants,
uint32_t nof_grants,
int rar_idx,
uint32_t rar_idx,
uint32_t pdu_len,
uint32_t tti);
const static int rar_payload_len = 128;
std::vector<srslte::rar_pdu> rar_pdu_msg;
std::array<srslte::rar_pdu, sched_interface::MAX_RAR_LIST> rar_pdu_msg;
srslte::byte_buffer_t rar_payload[sched_interface::MAX_RAR_LIST];
const static int NOF_BCCH_DLSCH_MSG = sched_interface::MAX_SIBS;

@ -28,7 +28,6 @@ using namespace asn1::rrc;
namespace srsenb {
mac::mac(srslte::ext_task_sched_handle task_sched_) :
rar_pdu_msg(sched_interface::MAX_RAR_LIST),
rar_payload(),
common_buffers(SRSLTE_MAX_CARRIERS),
task_sched(task_sched_)
@ -821,12 +820,12 @@ int mac::get_mch_sched(uint32_t tti, bool is_mcch, dl_sched_list_t& dl_sched_res
uint8_t* mac::assemble_rar(sched_interface::dl_sched_rar_grant_t* grants,
uint32_t nof_grants,
int rar_idx,
uint32_t rar_idx,
uint32_t pdu_len,
uint32_t tti)
{
uint8_t grant_buffer[64] = {};
if (pdu_len < rar_payload_len) {
if (pdu_len < rar_payload_len && rar_idx < rar_pdu_msg.size()) {
srslte::rar_pdu* pdu = &rar_pdu_msg[rar_idx];
rar_payload[rar_idx].clear();
pdu->init_tx(&rar_payload[rar_idx], pdu_len);
@ -842,7 +841,7 @@ uint8_t* mac::assemble_rar(sched_interface::dl_sched_rar_grant_t* grants,
pdu->write_packet(rar_payload[rar_idx].msg);
return rar_payload[rar_idx].msg;
} else {
Error("Assembling RAR: pdu_len > rar_payload_len (%d>%d)\n", pdu_len, rar_payload_len);
Error("Assembling RAR: rar_idx=%d, pdu_len > rar_payload_len (%d>%d)\n", rar_idx, pdu_len, rar_payload_len);
return nullptr;
}
}

Loading…
Cancel
Save