From ca9047e5554033b28dbd6ebfdad72f68e6715722 Mon Sep 17 00:00:00 2001
From: Ismael Gomez <ismael@softwareradiosystems.com>
Date: Sat, 9 Jun 2018 11:10:39 -0700
Subject: [PATCH] validate DL type1 sched grant rbg_subset

---
 lib/src/phy/phch/dci.c | 4 +++-
 lib/src/phy/phch/ra.c  | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/src/phy/phch/dci.c b/lib/src/phy/phch/dci.c
index 7bb2f9c19..a5de451ce 100644
--- a/lib/src/phy/phch/dci.c
+++ b/lib/src/phy/phch/dci.c
@@ -73,7 +73,9 @@ int srslte_dci_msg_to_dl_grant(srslte_dci_msg_t *msg, uint16_t msg_rnti,
     } 
 
     if (!dl_dci->is_ra_order) {
-      srslte_ra_dl_dci_to_grant(dl_dci, nof_prb, msg_rnti, grant);
+      if (srslte_ra_dl_dci_to_grant(dl_dci, nof_prb, msg_rnti, grant)) {
+        return ret;
+      }
 
       if (SRSLTE_VERBOSE_ISINFO()) {
         srslte_ra_pdsch_fprint(stdout, dl_dci, nof_prb);
diff --git a/lib/src/phy/phch/ra.c b/lib/src/phy/phch/ra.c
index a73c5d2e9..f5045ff15 100644
--- a/lib/src/phy/phch/ra.c
+++ b/lib/src/phy/phch/ra.c
@@ -313,6 +313,10 @@ int srslte_ra_dl_dci_to_grant_prb_allocation(srslte_ra_dl_dci_t *dci, srslte_ra_
     memcpy(&grant->prb_idx[1], &grant->prb_idx[0], SRSLTE_MAX_PRB*sizeof(bool));
     break;
   case SRSLTE_RA_ALLOC_TYPE1:
+    // Make sure the rbg_subset is valid
+    if (dci->type1_alloc.rbg_subset >= P) {
+      return SRSLTE_ERROR;
+    }
     n_rb_type1 = srslte_ra_type1_N_rb(nof_prb);
     uint32_t temp = ((nof_prb - 1) / P) % P;
     if (dci->type1_alloc.rbg_subset < temp) {