[MERGED] osmo-bsc[master]: gsm48_parse_meas_rep(): set num_cell=0 if no neighbor cells ...

Wed, 07 Mar 2018 22:57:07 -0800 

Harald Welte has submitted this change and it was merged.

Change subject: gsm48_parse_meas_rep(): set num_cell=0 if no neighbor cells are 
reported
......................................................................


gsm48_parse_meas_rep(): set num_cell=0 if no neighbor cells are reported

Set mr->num_cell to 0 if the bits reflect 0x7, which means that no neighbor
cell measurements are enclosed in the report.

The code in gsm48_parse_meas_rep() acknowledges that, but nevertheless left
num_cell == 7, and evaluating code commonly runs into the mistake of assuming
that actually seven neighbors are being reported on, like:

 MEASUREMENT REPORT
   0: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
   1: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
   2: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
   3: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
   4: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
   5: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0
   6: arfcn=0 bsic=0 neigh_idx=0 rxlev=0 flags=0

There are only up to 6 slots for neighbors, the above listing actually printed
7, because num_cell == 7, which is a potential segfault.  (sometimes it printed
uninitialized values instead of 0)

We could fix all meas rep consumers to know what num_cell == 7 means, but
instead setting it to 0 trivially fixes all of them.

Change-Id: Ie12210660a04f2d664ddc92e7ad7fc39ee474180
---
M src/libbsc/gsm_04_08_utils.c
1 file changed, 4 insertions(+), 1 deletion(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/libbsc/gsm_04_08_utils.c b/src/libbsc/gsm_04_08_utils.c
index 3004e5d..b75b42f 100644
--- a/src/libbsc/gsm_04_08_utils.c
+++ b/src/libbsc/gsm_04_08_utils.c
@@ -551,8 +551,11 @@
        rep->dl.sub.rx_qual = (data[2] >> 1) & 0x7;
 
        rep->num_cell = ((data[3] >> 6) & 0x3) | ((data[2] & 0x01) << 2);
-       if (rep->num_cell < 1 || rep->num_cell > 6)
+       if (rep->num_cell < 1 || rep->num_cell > 6) {
+               /* There are no neighbor cell reports present. */
+               rep->num_cell = 0;
                return 0;
+       }
 
        /* an encoding nightmare in perfection */
        mrc = &rep->cell[0];

-- 
To view, visit https://gerrit.osmocom.org/7149
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ie12210660a04f2d664ddc92e7ad7fc39ee474180
Gerrit-PatchSet: 1
Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Owner: Neels Hofmeyr <nhofm...@sysmocom.de>
Gerrit-Reviewer: Harald Welte <lafo...@gnumonks.org>
Gerrit-Reviewer: Jenkins Builder

Reply via email to