Avoid NULL access in rrc_eNB_process_RRCConnectionReestablishmentComplete.

59623646 · Masayuki HARADA · de35844c · 59623646
Commit 59623646 authored Feb 22, 2018 by Masayuki HARADA
Show whitespace changes
Inline Side-by-side

Showing with 49 additions and 35 deletions

openair2/RRC/LITE/rrc_eNB.c openair2/RRC/LITE/rrc_eNB.c +49 -35

No files found.
--- a/openair2/RRC/LITE/rrc_eNB.c
+++ b/openair2/RRC/LITE/rrc_eNB.c
@@ -1371,8 +1371,10 @@ rrc_eNB_process_RRCConnectionReestablishmentComplete(
  SRB_configList2 = &ue_context_pP->ue_context.SRB_configList2[xid];
  // get old configuration of SRB2
  if (*SRB_configList2 != NULL) {
+    if((*SRB_configList2)->list.count!=0){
      LOG_D(RRC, "SRB_configList2(%p) count is %d\n           SRB_configList2->list.array[0] addr is %p",
          SRB_configList2, (*SRB_configList2)->list.count,  (*SRB_configList2)->list.array[0]);
+    }
    for (i = 0; (i < (*SRB_configList2)->list.count) && (i < 3); i++) {
      if ((*SRB_configList2)->list.array[i]->srb_Identity == 2 ){
        LOG_D(RRC, "get SRB2_config from (ue_context_pP->ue_context.SRB_configList2[%d])\n", xid);
@@ -1384,10 +1386,14 @@ rrc_eNB_process_RRCConnectionReestablishmentComplete(
  SRB_configList2 = &ue_context_pP->ue_context.SRB_configList2[next_xid];
  DRB_configList2 = &ue_context_pP->ue_context.DRB_configList2[next_xid];
+  if(SRB_configList2!=NULL){
    if (*SRB_configList2) {
      free(*SRB_configList2);
      LOG_D(RRC, "free(ue_context_pP->ue_context.SRB_configList2[%d])\n", next_xid);
    }
+  }else{
+      LOG_E(RRC, "SRB_configList2 is null\n");
+  }
  *SRB_configList2 = CALLOC(1, sizeof(**SRB_configList2));
  if (SRB2_config != NULL) {
    // Add SRB2 to SRB configuration list
@@ -1406,10 +1412,14 @@ rrc_eNB_process_RRCConnectionReestablishmentComplete(
+  if(DRB_configList2!=NULL){
    if (*DRB_configList2) {
      free(*DRB_configList2);
      LOG_D(RRC, "free(ue_context_pP->ue_context.DRB_configList2[%d])\n", next_xid);
    }
+  }else{
+      LOG_E(RRC, "DRB_configList2 is null\n");
+  }
  *DRB_configList2 = CALLOC(1, sizeof(**DRB_configList2));
  if (DRB_configList != NULL) {
@@ -1863,7 +1873,11 @@ rrc_eNB_process_RRCConnectionReestablishmentComplete(
  }
 #endif
+  if(size==65535){
+    LOG_E(RRC,"RRC decode err!!! do_RRCConnectionReconfiguration\n");
+    put_UE_in_freelist(ctxt_pP->module_id, reestablish_rnti, 0);
+    return;
+  }else{
    LOG_I(RRC,
          "[eNB %d] Frame %d, Logical Channel DL-DCCH, Generate RRCConnectionReconfiguration (bytes %d, UE id %x)\n",
          ctxt_pP->module_id, ctxt_pP->frame, size, ue_context_pP->ue_context.rnti);
@@ -1891,7 +1905,7 @@ rrc_eNB_process_RRCConnectionReestablishmentComplete(
           size,
           buffer,
           PDCP_TRANSMISSION_MODE_CONTROL);
+  }
  // delete UE data of prior RNTI.  UE use current RNTI.
 //  protocol_ctxt_t ctxt_prior = *ctxt_pP;
 //  ctxt_prior.rnti = reestablish_rnti;