fix double free or corruption issue

b421498e · wujing · 3628b1e8 · b421498e · b421498e
Commit b421498e authored Sep 18, 2019 by wujing
Showing with 23 additions and 14 deletions

common/utils/ocp_itti/intertask_interface.cpp common/utils/ocp_itti/intertask_interface.cpp +1 -1

openair2/LAYER2/RLC/AM_v9.3.0/rlc_am_receiver.c openair2/LAYER2/RLC/AM_v9.3.0/rlc_am_receiver.c +22 -13

No files found.
--- a/common/utils/ocp_itti/intertask_interface.cpp
+++ b/common/utils/ocp_itti/intertask_interface.cpp
@@ -48,7 +48,7 @@ extern "C" {
 //    AssertFatal(leP!=NULL,"");
    if (leP != NULL) {
    free(leP);
-    LOG_I(TMR, "intertask_interface free_mem_block is called, after free leP is %d(NULL:0, notNULL:1)\n", leP==NULL?0:1);
+    LOG_I(TMR, "intertask_interface free_mem_block is called, after free leP is %p\n", leP);
    leP = NULL; //prevent double free
    } else {
      LOG_I(TMR, "intertask_interface free_mem_block is called, but before free leP is NULL\n");

--- a/openair2/LAYER2/RLC/AM_v9.3.0/rlc_am_receiver.c
+++ b/openair2/LAYER2/RLC/AM_v9.3.0/rlc_am_receiver.c
@@ -347,6 +347,11 @@ rlc_am_receive_process_data_pdu (
            rlc_pP->vr_x);

      pdu_status = rlc_am_rx_list_check_duplicate_insert_pdu(ctxt_pP, rlc_pP,tb_pP);
+      if(tb_pP == NULL){
+          LOG_E(RLC, "rnti %x tb_pP is NULL\n", ctxt_pP->rnti);
+          return;
+      }
+
      if (pdu_status != RLC_AM_DATA_PDU_STATUS_OK) {
        rlc_pP->stat_rx_data_pdu_dropped     += 1;
        rlc_pP->stat_rx_data_bytes_dropped   += tb_size_in_bytesP;
@@ -410,20 +415,24 @@ rlc_am_receive_process_data_pdu (
        }

        if (pdu_info_p->sn == rlc_pP->vr_r) {
-mem_block_t*       cursor_p                    = rlc_pP->receiver_buffer.head;
-rlc_am_rx_pdu_management_t * pdu_cursor_mgnt_p = (rlc_am_rx_pdu_management_t *) (cursor_p->data);
-if( (((rlc_am_rx_pdu_management_t*)(tb_pP->data))->all_segments_received) == (pdu_cursor_mgnt_p->all_segments_received)){
-          if (((rlc_am_rx_pdu_management_t*)(tb_pP->data))->all_segments_received) {
-            rlc_am_rx_update_vr_r(ctxt_pP, rlc_pP, tb_pP);
-            rlc_pP->vr_mr = (rlc_pP->vr_r + RLC_AM_WINDOW_SIZE) & RLC_AM_SN_MASK;
+          mem_block_t*       cursor_p                    = rlc_pP->receiver_buffer.head;
+          if (cursor_p != NULL) {
+            rlc_am_rx_pdu_management_t * pdu_cursor_mgnt_p = (rlc_am_rx_pdu_management_t *) (cursor_p->data);
+            if( (((rlc_am_rx_pdu_management_t*)(tb_pP->data))->all_segments_received) == (pdu_cursor_mgnt_p->all_segments_received)){
+              if (((rlc_am_rx_pdu_management_t*)(tb_pP->data))->all_segments_received) {
+                rlc_am_rx_update_vr_r(ctxt_pP, rlc_pP, tb_pP);
+                rlc_pP->vr_mr = (rlc_pP->vr_r + RLC_AM_WINDOW_SIZE) & RLC_AM_SN_MASK;
+              }
+              reassemble = rlc_am_rx_check_vr_reassemble(ctxt_pP, rlc_pP);
+              //TODO : optimization : check whether a reassembly is needed by looking at LI, FI, SO, etc...
+            }else{
+              LOG_E(RLC, "BAD all_segments_received!!! discard buffer!!!\n");
+              /* Discard received block if out of window, duplicate or header error */
+              free_mem_block (tb_pP, __func__);
+            }
+          }else{
+            LOG_E(RLC,"cursor_p is NULL!!!\n");
          }
-          reassemble = rlc_am_rx_check_vr_reassemble(ctxt_pP, rlc_pP);
-          //TODO : optimization : check whether a reassembly is needed by looking at LI, FI, SO, etc...
-}else{
-  LOG_E(RLC, "BAD all_segments_received!!! discard buffer!!!\n");
-  /* Discard received block if out of window, duplicate or header error */
-  free_mem_block (tb_pP, __func__);
-}
        }

        //FNA: fix check VrX out of receiving window