Skip to content

O
OpenXG-RAN
Commit 78290f91 authored by Robert Schmidt's avatar Robert Schmidt
Browse files
Options

Fix memory leak in rrc_gNB_decode_dcch() 

- Free the memory
- for NGAP NAS UL and NAS First request, allocate memory to avoid
  use-after-free errors
parent 6f8a2226
Hide whitespace changes
Inline Side-by-side
Showing with 10 additions and 7 deletions
openair2/RRC/NR/rrc_gNB.c
View file @ 78290f91
...@@ -1787,6 +1787,7 @@ int rrc_gNB_decode_dcch(const protocol_ctxt_t *const ctxt_pP, ...@@ -1787,6 +1787,7 @@ int rrc_gNB_decode_dcch(const protocol_ctxt_t *const ctxt_pP,
break; break;
} }
} }
ASN_STRUCT_FREE(asn_DEF_NR_UL_DCCH_Message, ul_dcch_msg);
return 0; return 0;
} }
......
openair2/RRC/NR/rrc_gNB_NGAP.c
View file @ 78290f91
...@@ -190,8 +190,10 @@ rrc_gNB_send_NGAP_NAS_FIRST_REQ( ...@@ -190,8 +190,10 @@ rrc_gNB_send_NGAP_NAS_FIRST_REQ(
req->establishment_cause = UE->establishment_cause; req->establishment_cause = UE->establishment_cause;
/* Forward NAS message */ /* Forward NAS message */
req->nas_pdu.buffer = rrcSetupComplete->dedicatedNAS_Message.buf;
req->nas_pdu.length = rrcSetupComplete->dedicatedNAS_Message.size; req->nas_pdu.length = rrcSetupComplete->dedicatedNAS_Message.size;
req->nas_pdu.buffer = malloc(req->nas_pdu.length);
AssertFatal(req->nas_pdu.buffer != NULL, "out of memory\n");
memcpy(req->nas_pdu.buffer, rrcSetupComplete->dedicatedNAS_Message.buf, req->nas_pdu.length);
// extract_imsi(NGAP_NAS_FIRST_REQ (message_p).nas_pdu.buffer, // extract_imsi(NGAP_NAS_FIRST_REQ (message_p).nas_pdu.buffer,
// NGAP_NAS_FIRST_REQ (message_p).nas_pdu.length, // NGAP_NAS_FIRST_REQ (message_p).nas_pdu.length,
// ue_context_pP); // ue_context_pP);
...@@ -637,19 +639,19 @@ rrc_gNB_send_NGAP_UPLINK_NAS( ...@@ -637,19 +639,19 @@ rrc_gNB_send_NGAP_UPLINK_NAS(
) )
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------
{ {
uint32_t pdu_length;
uint8_t *pdu_buffer;
MessageDef *msg_p; MessageDef *msg_p;
NR_ULInformationTransfer_t *ulInformationTransfer = ul_dcch_msg->message.choice.c1->choice.ulInformationTransfer; NR_ULInformationTransfer_t *ulInformationTransfer = ul_dcch_msg->message.choice.c1->choice.ulInformationTransfer;
gNB_RRC_UE_t *UE = &ue_context_pP->ue_context; gNB_RRC_UE_t *UE = &ue_context_pP->ue_context;
if (ulInformationTransfer->criticalExtensions.present == NR_ULInformationTransfer__criticalExtensions_PR_ulInformationTransfer) { if (ulInformationTransfer->criticalExtensions.present == NR_ULInformationTransfer__criticalExtensions_PR_ulInformationTransfer) {
pdu_length = ulInformationTransfer->criticalExtensions.choice.ulInformationTransfer->dedicatedNAS_Message->size; NR_DedicatedNAS_Message_t *nas = ulInformationTransfer->criticalExtensions.choice.ulInformationTransfer->dedicatedNAS_Message;
pdu_buffer = ulInformationTransfer->criticalExtensions.choice.ulInformationTransfer->dedicatedNAS_Message->buf; uint8_t *buf = malloc(nas->size);
AssertFatal(buf != NULL, "out of memory\n");
memcpy(buf, nas->buf, nas->size);
msg_p = itti_alloc_new_message (TASK_RRC_GNB, 0, NGAP_UPLINK_NAS); msg_p = itti_alloc_new_message (TASK_RRC_GNB, 0, NGAP_UPLINK_NAS);
NGAP_UPLINK_NAS(msg_p).gNB_ue_ngap_id = UE->rrc_ue_id; NGAP_UPLINK_NAS(msg_p).gNB_ue_ngap_id = UE->rrc_ue_id;
NGAP_UPLINK_NAS (msg_p).nas_pdu.length = pdu_length; NGAP_UPLINK_NAS (msg_p).nas_pdu.length = nas->size;
NGAP_UPLINK_NAS (msg_p).nas_pdu.buffer = pdu_buffer; NGAP_UPLINK_NAS (msg_p).nas_pdu.buffer = buf;
// extract_imsi(NGAP_UPLINK_NAS (msg_p).nas_pdu.buffer, // extract_imsi(NGAP_UPLINK_NAS (msg_p).nas_pdu.buffer,
// NGAP_UPLINK_NAS (msg_p).nas_pdu.length, // NGAP_UPLINK_NAS (msg_p).nas_pdu.length,
// ue_context_pP); // ue_context_pP);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment