Commit 7243b6d6 authored by Haruki NAOI's avatar Haruki NAOI Committed by shono.takafumi

Avoid Segfault with abnormal MAC header.

(cherry picked from commit 04c5431468c9102dd625a73d9e5219b40b638fe3)
(cherry picked from commit 17880778c848406e562f98c20f7b7a6428502279)
(cherry picked from commit a26f44c197e854dd4261267a3695932392f09265)
parent deeded68
...@@ -33,7 +33,11 @@ ...@@ -33,7 +33,11 @@
*\return the extracted value. *\return the extracted value.
*/ */
static inline uint8_t BIT_STRING_to_uint8(BIT_STRING_t *asn) { static inline uint8_t BIT_STRING_to_uint8(BIT_STRING_t *asn) {
DevCheck ((asn->size == 1), asn->size, 0, 0); //DevCheck ((asn->size == 1), asn->size, 0, 0);
if(!(asn->size == 1)) {
printf("BIT_STRING_to_uint8 size %ld\n", asn->size);
return 0;
}
return asn->buf[0] >> asn->bits_unused; return asn->buf[0] >> asn->bits_unused;
} }
...@@ -47,7 +51,11 @@ static inline uint16_t BIT_STRING_to_uint16(BIT_STRING_t *asn) { ...@@ -47,7 +51,11 @@ static inline uint16_t BIT_STRING_to_uint16(BIT_STRING_t *asn) {
uint16_t result = 0; uint16_t result = 0;
int index = 0; int index = 0;
DevCheck ((asn->size > 0) && (asn->size <= 2), asn->size, 0, 0); //DevCheck ((asn->size > 0) && (asn->size <= 2), asn->size, 0, 0);
if(!((asn->size > 0) && (asn->size <= 2))) {
printf("BIT_STRING_to_uint16 size %ld\n", asn->size);
return 0;
}
switch (asn->size) { switch (asn->size) {
case 2: case 2:
...@@ -74,7 +82,11 @@ static inline uint32_t BIT_STRING_to_uint32(BIT_STRING_t *asn) { ...@@ -74,7 +82,11 @@ static inline uint32_t BIT_STRING_to_uint32(BIT_STRING_t *asn) {
int index; int index;
int shift; int shift;
DevCheck ((asn->size > 0) && (asn->size <= 4), asn->size, 0, 0); //DevCheck ((asn->size > 0) && (asn->size <= 4), asn->size, 0, 0);
if(!((asn->size > 0) && (asn->size <= 4))) {
printf("BIT_STRING_to_uint32 size %ld\n", asn->size);
return 0;
}
shift = ((asn->size - 1) * 8) - asn->bits_unused; shift = ((asn->size - 1) * 8) - asn->bits_unused;
for (index = 0; index < (asn->size - 1); index++) { for (index = 0; index < (asn->size - 1); index++) {
...@@ -97,7 +109,11 @@ static inline uint64_t BIT_STRING_to_uint64(BIT_STRING_t *asn) { ...@@ -97,7 +109,11 @@ static inline uint64_t BIT_STRING_to_uint64(BIT_STRING_t *asn) {
int index; int index;
int shift; int shift;
DevCheck ((asn->size > 0) && (asn->size <= 8), asn->size, 0, 0); //DevCheck ((asn->size > 0) && (asn->size <= 8), asn->size, 0, 0);
if(!((asn->size > 0) && (asn->size <= 8))) {
printf("BIT_STRING_to_uint64 size %ld\n", asn->size);
return 0;
}
shift = ((asn->size - 1) * 8) - asn->bits_unused; shift = ((asn->size - 1) * 8) - asn->bits_unused;
for (index = 0; index < (asn->size - 1); index++) { for (index = 0; index < (asn->size - 1); index++) {
......
...@@ -683,7 +683,7 @@ rx_sdu(const module_id_t enb_mod_idP, ...@@ -683,7 +683,7 @@ rx_sdu(const module_id_t enb_mod_idP,
switch (rx_lcids[i]) { switch (rx_lcids[i]) {
case CCCH: case CCCH:
if (rx_lengths[i] > CCCH_PAYLOAD_SIZE_MAX) { if ((rx_lengths[i] > CCCH_PAYLOAD_SIZE_MAX) || (rx_lengths[i] < 0) || (rx_lengths[i] > sdu_lenP)) {
LOG_E(MAC, "[eNB %d/%d] frame %d received CCCH of size %d (too big, maximum allowed is %d, sdu_len %d), dropping packet\n", LOG_E(MAC, "[eNB %d/%d] frame %d received CCCH of size %d (too big, maximum allowed is %d, sdu_len %d), dropping packet\n",
enb_mod_idP, enb_mod_idP,
CC_idP, CC_idP,
...@@ -804,6 +804,17 @@ rx_sdu(const module_id_t enb_mod_idP, ...@@ -804,6 +804,17 @@ rx_sdu(const module_id_t enb_mod_idP,
LOG_T(MAC, "\n"); LOG_T(MAC, "\n");
#endif #endif
if ((rx_lengths[i] > DCH_PAYLOAD_SIZE_MAX) || (rx_lengths[i] < 0) || (rx_lengths[i] > sdu_lenP)) {
LOG_E(MAC, "[eNB %d/%d] frame %d received DCCH of size %d (too big, maximum allowed is %d, sdu_len %d), dropping packet\n",
enb_mod_idP,
CC_idP,
frameP,
rx_lengths[i],
DCH_PAYLOAD_SIZE_MAX,
sdu_lenP);
break;
}
if (UE_id != -1) { if (UE_id != -1) {
if (lcgid_updated[UE_template_ptr->lcgidmap[rx_lcids[i]]] == 0) { if (lcgid_updated[UE_template_ptr->lcgidmap[rx_lcids[i]]] == 0) {
/* Adjust buffer occupancy of the correponding logical channel group */ /* Adjust buffer occupancy of the correponding logical channel group */
...@@ -853,6 +864,17 @@ rx_sdu(const module_id_t enb_mod_idP, ...@@ -853,6 +864,17 @@ rx_sdu(const module_id_t enb_mod_idP,
#endif #endif
if (rx_lcids[i] < NB_RB_MAX) { if (rx_lcids[i] < NB_RB_MAX) {
if ((rx_lengths[i] > SCH_PAYLOAD_SIZE_MAX) || (rx_lengths[i] < 0) || (rx_lengths[i] > sdu_lenP)) {
LOG_E(MAC, "[eNB %d/%d] frame %d received DTCH of size %d (too big, maximum allowed is %d, sdu_len %d), dropping packet\n",
enb_mod_idP,
CC_idP,
frameP,
rx_lengths[i],
DCH_PAYLOAD_SIZE_MAX,
sdu_lenP);
UE_list->eNB_UE_stats[CC_idP][UE_id].num_errors_rx += 1;
break;
}
LOG_D(MAC, "[eNB %d] CC_id %d Frame %d : ULSCH -> UL-DTCH, received %d bytes from UE %d for lcid %d\n", LOG_D(MAC, "[eNB %d] CC_id %d Frame %d : ULSCH -> UL-DTCH, received %d bytes from UE %d for lcid %d\n",
enb_mod_idP, enb_mod_idP,
CC_idP, CC_idP,
...@@ -862,6 +884,25 @@ rx_sdu(const module_id_t enb_mod_idP, ...@@ -862,6 +884,25 @@ rx_sdu(const module_id_t enb_mod_idP,
rx_lcids[i]); rx_lcids[i]);
if (UE_id != -1) { if (UE_id != -1) {
ue_contextP = rrc_eNB_get_ue_context(RC.rrc[enb_mod_idP], current_rnti);
if (ue_contextP != NULL) {
if (ue_contextP->ue_context.DRB_active[rx_lcids[i] - 2] == 0) {
LOG_E(MAC, "[eNB %d/%d] frame %d received non active DTCH of size %d ( sdu_len %d, lcid %d), dropping packet\n",
enb_mod_idP,
CC_idP,
frameP,
rx_lengths[i],
sdu_lenP,rx_lcids[i]);
UE_list->eNB_UE_stats[CC_idP][UE_id].num_errors_rx += 1;
break;
}
}else{
LOG_E(MAC, "[eNB %d] CC_id %d Couldn't find the context associated to UE (RNTI %d) and reset RRC inactivity timer\n",
enb_mod_idP,
CC_idP,
current_rnti);
break;
}
/* Adjust buffer occupancy of the correponding logical channel group */ /* Adjust buffer occupancy of the correponding logical channel group */
LOG_D(MAC, "[eNB %d] CC_id %d Frame %d : ULSCH -> UL-DTCH, received %d bytes from UE %d for lcid %d, removing from LCGID %ld, %d\n", LOG_D(MAC, "[eNB %d] CC_id %d Frame %d : ULSCH -> UL-DTCH, received %d bytes from UE %d for lcid %d, removing from LCGID %ld, %d\n",
enb_mod_idP, enb_mod_idP,
...@@ -890,16 +931,12 @@ rx_sdu(const module_id_t enb_mod_idP, ...@@ -890,16 +931,12 @@ rx_sdu(const module_id_t enb_mod_idP,
} }
} }
if ((rx_lengths[i] < SCH_PAYLOAD_SIZE_MAX) && (rx_lengths[i] > 0)) { // MAX SIZE OF transport block
mac_rlc_data_ind(enb_mod_idP, current_rnti, enb_mod_idP, frameP, ENB_FLAG_YES, MBMS_FLAG_NO, rx_lcids[i], (char *) payload_ptr, rx_lengths[i], 1, NULL); mac_rlc_data_ind(enb_mod_idP, current_rnti, enb_mod_idP, frameP, ENB_FLAG_YES, MBMS_FLAG_NO, rx_lcids[i], (char *) payload_ptr, rx_lengths[i], 1, NULL);
UE_info->eNB_UE_stats[CC_idP][UE_id].num_pdu_rx[rx_lcids[i]] += 1; UE_info->eNB_UE_stats[CC_idP][UE_id].num_pdu_rx[rx_lcids[i]] += 1;
UE_info->eNB_UE_stats[CC_idP][UE_id].num_bytes_rx[rx_lcids[i]] += rx_lengths[i]; UE_info->eNB_UE_stats[CC_idP][UE_id].num_bytes_rx[rx_lcids[i]] += rx_lengths[i];
/* Clear uplane_inactivity_timer */ /* Clear uplane_inactivity_timer */
UE_scheduling_control->uplane_inactivity_timer = 0; UE_scheduling_control->uplane_inactivity_timer = 0;
/* Reset RRC inactivity timer after uplane activity */ /* Reset RRC inactivity timer after uplane activity */
ue_contextP = rrc_eNB_get_ue_context(RC.rrc[enb_mod_idP], current_rnti);
if (ue_contextP != NULL) {
ue_contextP->ue_context.ue_rrc_inactivity_timer = 1; ue_contextP->ue_context.ue_rrc_inactivity_timer = 1;
} else { } else {
LOG_E(MAC, "[eNB %d] CC_id %d Couldn't find the context associated to UE (RNTI %d) and reset RRC inactivity timer\n", LOG_E(MAC, "[eNB %d] CC_id %d Couldn't find the context associated to UE (RNTI %d) and reset RRC inactivity timer\n",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment