Commit 21a2a8c6 authored by Cedric Roux's avatar Cedric Roux

rlc v2: some fixes for 'bugs' found by coverity scan

Minor fixes, doesn't change anything. Not sure these are 'bugs' either,
but let's be polite with coverity scan...

One thing was not changed.
Coverity scan says:
*** CID 357991:  Memory - illegal accesses  (USE_AFTER_FREE)
/home/carabe/raphael/openairinterface5g/openair2/LAYER2/rlc_v2/rlc_entity_am.c: 507 in tx_list_remove_sn()
501         } else {
502           prev = cur;
503           cur = cur->next;
504         }
505       }
506
>>>     CID 357991:  Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Using freed pointer "head.next".
507       return head.next;
508     }
509
510     void cleanup_sdu_list(rlc_entity_am_t *entity)
511     {
512       rlc_sdu_t head;

But as far as I understand, there is no problem. We don't access
head.next at all if it has been freed. Or is there some aliasing
going on there (pointer aliasing)? I doubt it. False positive?
parent cd82d94c
...@@ -360,6 +360,7 @@ static tx_pdu_size_t tx_pdu_size(rlc_entity_um_t *entity, int maxsize) ...@@ -360,6 +360,7 @@ static tx_pdu_size_t tx_pdu_size(rlc_entity_um_t *entity, int maxsize)
ret.data_size = 0; ret.data_size = 0;
ret.header_size = 0; ret.header_size = 0;
ret.last_sdu_is_full = 1; ret.last_sdu_is_full = 1;
ret.first_sdu_length = 0;
/* TX PDU - let's make the biggest PDU we can with the SDUs we have */ /* TX PDU - let's make the biggest PDU we can with the SDUs we have */
sdu_count = 0; sdu_count = 0;
......
...@@ -134,7 +134,10 @@ tbs_size_t mac_rlc_data_req( ...@@ -134,7 +134,10 @@ tbs_size_t mac_rlc_data_req(
} }
if (MBMS_flagP == MBMS_FLAG_YES) { if (MBMS_flagP == MBMS_FLAG_YES) {
rb = ue->drb[channel_idP - 1]; if (channel_idP >= 1 && channel_idP <= 5)
rb = ue->drb[channel_idP - 1];
else
rb = NULL;
} }
...@@ -192,7 +195,10 @@ mac_rlc_status_resp_t mac_rlc_status_ind( ...@@ -192,7 +195,10 @@ mac_rlc_status_resp_t mac_rlc_status_ind(
} }
if (MBMS_flagP == MBMS_FLAG_YES) { if (MBMS_flagP == MBMS_FLAG_YES) {
rb = ue->drb[channel_idP - 1]; if (channel_idP >= 1 && channel_idP <= 5)
rb = ue->drb[channel_idP - 1];
else
rb = NULL;
} }
if (rb != NULL) { if (rb != NULL) {
...@@ -316,7 +322,9 @@ rlc_op_status_t rlc_data_req (const protocol_ctxt_t *const ctxt_pP, ...@@ -316,7 +322,9 @@ rlc_op_status_t rlc_data_req (const protocol_ctxt_t *const ctxt_pP,
if (rb_idP >= 1 && rb_idP <= 5) if (rb_idP >= 1 && rb_idP <= 5)
rb = ue->drb[rb_idP - 1]; rb = ue->drb[rb_idP - 1];
} }
if( MBMS_flagP == MBMS_FLAG_YES) { if( MBMS_flagP == MBMS_FLAG_YES) {
if (rb_idP >= 1 && rb_idP <= 5)
rb = ue->drb[rb_idP - 1]; rb = ue->drb[rb_idP - 1];
} }
...@@ -875,12 +883,19 @@ rlc_op_status_t rrc_rlc_config_asn1_req (const protocol_ctxt_t * const ctxt_pP ...@@ -875,12 +883,19 @@ rlc_op_status_t rrc_rlc_config_asn1_req (const protocol_ctxt_t * const ctxt_pP
mbms_service_id = MBMS_SessionInfo_p->tmgi_r9.serviceId_r9.buf[2]; //serviceId is 3-octet string mbms_service_id = MBMS_SessionInfo_p->tmgi_r9.serviceId_r9.buf[2]; //serviceId is 3-octet string
// mbms_service_id = j; // mbms_service_id = j;
#if 0
/* TODO: check if this code should stay there
* as it is both enb and ue cases do the same thing
*/
// can set the mch_id = i // can set the mch_id = i
if (ctxt_pP->enb_flag) { if (ctxt_pP->enb_flag) {
drb_id = (mbms_service_id * LTE_maxSessionPerPMCH ) + mbms_session_id;//+ (LTE_maxDRB + 3) * MAX_MOBILES_PER_ENB; // 1 drb_id = (mbms_service_id * LTE_maxSessionPerPMCH ) + mbms_session_id;//+ (LTE_maxDRB + 3) * MAX_MOBILES_PER_ENB; // 1
} else { } else {
drb_id = (mbms_service_id * LTE_maxSessionPerPMCH ) + mbms_session_id; // + (LTE_maxDRB + 3); // 15 drb_id = (mbms_service_id * LTE_maxSessionPerPMCH ) + mbms_session_id; // + (LTE_maxDRB + 3); // 15
} }
#endif
drb_id = (mbms_service_id * LTE_maxSessionPerPMCH ) + mbms_session_id;
LOG_I(RLC, PROTOCOL_CTXT_FMT" CONFIG REQ MBMS ASN1 LC ID %u RB ID %u SESSION ID %u SERVICE ID %u, mbms_rnti %x\n", LOG_I(RLC, PROTOCOL_CTXT_FMT" CONFIG REQ MBMS ASN1 LC ID %u RB ID %u SESSION ID %u SERVICE ID %u, mbms_rnti %x\n",
PROTOCOL_CTXT_ARGS(ctxt_pP), PROTOCOL_CTXT_ARGS(ctxt_pP),
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment