NR_UE: always break out of MAC PDU processing after pdu_len Bytes

In case of false positive PDSCH CRC check, a random MAC PDU is processed. Currently pdu_len is unsigned 16 Bit, so we did break out of the processing loop only if we _exactly_ hit a residual pdu_len of 0, or we hit a LCID of DL_SCH_LCID_PADDING. If we didn't hit either of these, pdu_len wrapped to a very positive value, and we continued processing the PDU even beyond its bounds! This behavior was observed with SNR 1 dB and MCS 9. So better make pdu_len signed and break out of the loop after processing at max. pdu_len Bytes!

NR_UE: always break out of MAC PDU processing after pdu_len Bytes
In case of false positive PDSCH CRC check, a random MAC PDU is processed. Currently pdu_len is unsigned 16 Bit, so we did break out of the processing loop only if we _exactly_ hit a residual pdu_len of 0, or we hit a LCID of DL_SCH_LCID_PADDING. If we didn't hit either of these, pdu_len wrapped to a very positive value, and we continued processing the PDU even beyond its bounds! This behavior was observed with SNR 1 dB and MCS 9. So better make pdu_len signed and break out of the loop after processing at max. pdu_len Bytes!
bc041092 · Thomas Schlichter · 14f3d6a7 · bc041092 · bc041092
Commit bc041092 authored Mar 19, 2021 by Thomas Schlichter
Showing with 4 additions and 4 deletions

openair1/SCHED_NR_UE/phy_procedures_nr_ue.c openair1/SCHED_NR_UE/phy_procedures_nr_ue.c +1 -1

openair2/LAYER2/NR_MAC_UE/nr_ue_procedures.c openair2/LAYER2/NR_MAC_UE/nr_ue_procedures.c +3 -3

No files found.
--- a/openair1/SCHED_NR_UE/phy_procedures_nr_ue.c
+++ b/openair1/SCHED_NR_UE/phy_procedures_nr_ue.c
@@ -881,7 +881,7 @@ void nr_ue_dlsch_procedures(PHY_VARS_NR_UE *ue,
  int harq_pid = dlsch0->current_harq_pid;
  int frame_rx = proc->frame_rx;
  int nr_slot_rx = proc->nr_slot_rx;
-  int ret=0, ret1=0;
+  uint32_t ret = UINT32_MAX, ret1 = UINT32_MAX;
  NR_UE_PDSCH *pdsch_vars;
  uint16_t dmrs_len = get_num_dmrs(dlsch0->harq_processes[dlsch0->current_harq_pid]->dlDmrsSymbPos);
  nr_downlink_indication_t dl_indication;

--- a/openair2/LAYER2/NR_MAC_UE/nr_ue_procedures.c
+++ b/openair2/LAYER2/NR_MAC_UE/nr_ue_procedures.c
@@ -1746,7 +1746,7 @@ void nr_ue_process_mac_pdu(nr_downlink_indication_t *dl_info,
  frame_t frameP         = dl_info->frame;
  int slot               = dl_info->slot;
  uint8_t *pduP          = (dl_info->rx_ind->rx_indication_body + pdu_id)->pdsch_pdu.pdu;
-  uint16_t pdu_len       = (dl_info->rx_ind->rx_indication_body + pdu_id)->pdsch_pdu.pdu_length;
+  int32_t pdu_len        = (dl_info->rx_ind->rx_indication_body + pdu_id)->pdsch_pdu.pdu_length;
  uint8_t gNB_index      = dl_info->gNB_index;
  uint8_t CC_id          = dl_info->cc_id;
  uint8_t done           = 0;
@@ -1757,7 +1757,7 @@ void nr_ue_process_mac_pdu(nr_downlink_indication_t *dl_info,
    return;
  }
-  LOG_D(MAC, "In %s [%d.%d]: processing PDU %d of %d total number of PDUs...\n", __FUNCTION__, frameP, slot, pdu_id, dl_info->rx_ind->number_pdus);
+  LOG_D(MAC, "In %s [%d.%d]: processing PDU %d (with length %d) of %d total number of PDUs...\n", __FUNCTION__, frameP, slot, pdu_id, pdu_len, dl_info->rx_ind->number_pdus);
    while (!done && pdu_len > 0){
        mac_ce_len = 0x0000;
@@ -1961,7 +1961,7 @@ void nr_ue_process_mac_pdu(nr_downlink_indication_t *dl_info,
        pduP += ( mac_subheader_len + mac_ce_len + mac_sdu_len );
        pdu_len -= ( mac_subheader_len + mac_ce_len + mac_sdu_len );
        if (pdu_len < 0)
-          LOG_E(MAC, "[MAC] nr_ue_process_mac_pdu, residual mac pdu length %d < 0!\n", pdu_len);
+          LOG_E(MAC, "[UE %d][%d.%d] nr_ue_process_mac_pdu, residual mac pdu length %d < 0!\n", module_idP, frameP, slot, pdu_len);
    }
 }