fix double free issue

65cb8425 · wujing · b421498e · 65cb8425 · 65cb8425 · 65cb8425
Commit 65cb8425 authored Sep 19, 2019 by wujing
4 changed files
--- a/openair2/LAYER2/RLC/AM_v9.3.0/rlc_am_receiver.c
+++ b/openair2/LAYER2/RLC/AM_v9.3.0/rlc_am_receiver.c
@@ -269,6 +269,7 @@ rlc_am_receive_routing (
        rlc_pP->stat_rx_control_bytes += tb_size_in_bytes;
        rlc_pP->stat_rx_control_pdu += 1;
        rlc_am_receive_process_control_pdu (ctxt_pP, rlc_pP, tb_p, &first_byte_p, &tb_size_in_bytes);
+        tb_p = NULL;
        // Test if remaining bytes not processed (up to know, highest probability is bug in MAC)
 //Assertion(eNB)_PRAN_DesignDocument_annex No.767
  if(tb_size_in_bytes != 0)
@@ -347,9 +348,8 @@ rlc_am_receive_process_data_pdu (
            rlc_pP->vr_x);

      pdu_status = rlc_am_rx_list_check_duplicate_insert_pdu(ctxt_pP, rlc_pP,tb_pP);
-      if(tb_pP == NULL){
-          LOG_E(RLC, "rnti %x tb_pP is NULL\n", ctxt_pP->rnti);
-          return;
+      if(pdu_status == RLC_AM_DATA_PDU_STATUS_FREE_STATE){
+        tb_pP = NULL;
      }

      if (pdu_status != RLC_AM_DATA_PDU_STATUS_OK) {

--- a/openair2/LAYER2/RLC/AM_v9.3.0/rlc_am_rx_list.c
+++ b/openair2/LAYER2/RLC/AM_v9.3.0/rlc_am_rx_list.c
@@ -716,7 +716,7 @@ rlc_am_rx_pdu_status_t rlc_am_rx_list_handle_pdu_segment(
 		  /* Free original PDU Segment */
 		  free_mem_block(tb_pP, __func__);

-		  return RLC_AM_DATA_PDU_STATUS_OK;
+		  return RLC_AM_DATA_PDU_STATUS_FREE_STATE;
 	  }
 	  else {
 		  return RLC_AM_DATA_PDU_STATUS_BUFFER_FULL;
@@ -882,7 +882,7 @@ rlc_am_rx_pdu_status_t rlc_am_rx_list_handle_pdu(
 			  /* Free original PDU */
 			  free_mem_block(tb_pP, __func__);

-			  return pdu_status;
+			  return RLC_AM_DATA_PDU_STATUS_FREE_STATE;
 		  }
 		  else {
 			  return RLC_AM_DATA_PDU_STATUS_BUFFER_FULL;
@@ -1107,6 +1107,7 @@ rlc_am_rx_list_reassemble_rlc_sdus(
    if (rlc_am_rx_pdu_management_p->all_segments_received > 0) {
      cursor_p = list2_remove_head(&rlc_pP->receiver_buffer);
      rlc_am_reassemble_pdu(ctxt_pP, rlc_pP, cursor_p,TRUE);
+      cursor_p = NULL;
      rlc_am_rx_old_pdu_management = rlc_am_rx_pdu_management_p;
      cursor_p = list2_get_head(&rlc_pP->receiver_buffer);


--- a/openair2/LAYER2/RLC/AM_v9.3.0/rlc_am_status_report.c
+++ b/openair2/LAYER2/RLC/AM_v9.3.0/rlc_am_status_report.c
@@ -276,6 +276,7 @@ rlc_am_receive_process_control_pdu(
    if(ack_sn >= RLC_AM_SN_MODULO || rlc_pP->control_pdu_info.num_nack >= RLC_AM_MAX_NACK_IN_STATUS_PDU) {
      LOG_E(RLC, PROTOCOL_RLC_AM_CTXT_FMT" illegal ack_sn %d, num_nack %d\n",
            PROTOCOL_RLC_AM_CTXT_ARGS(ctxt_pP,rlc_pP), ack_sn, rlc_pP->control_pdu_info.num_nack);
+      free_mem_block(tb_pP, __func__);
      return;
    }


--- a/openair2/LAYER2/RLC/AM_v9.3.0/rlc_am_structs.h
+++ b/openair2/LAYER2/RLC/AM_v9.3.0/rlc_am_structs.h
@@ -269,8 +269,9 @@ typedef enum rlc_am_rx_pdu_status
    /** Unknown bearer */
 	RLC_AM_DATA_PDU_STATUS_INVALID_BEARER         = 6,
    /** RLC in wrong state */
-	RLC_AM_DATA_PDU_STATUS_WRONG_STATE            = 7
-
+	RLC_AM_DATA_PDU_STATUS_WRONG_STATE            = 7,
+    /*  sdu free state */
+       RLC_AM_DATA_PDU_STATUS_FREE_STATE            = 8
 } rlc_am_rx_pdu_status_t;

 /*! \cond PRIVATE */