Fix crash accessing NULL tbf->pdch[first_ts]
Fixes consistent crash under some specific scenarios explained in
OS#4756.
The crash was caused due to a bug in channel allocator algorithm
incorrectly populating tbf->pdch[] array as a result of mismatching
first_ts and resulting pdch selected slot bitmask.
The issue happens because when allocating a UL TBF in allocator B, the
subset is always further forced into allocating one single TS. As a
result, on that branch several variables are updated, but first_ts was
not.
The field used to be updated in older versions, but a bug was introduced
during code refactoring in commit listed below (31 Jan 2018).
Fixes: 0cc7212cfdfd40e87b531ecf14e76356185f4036
Related: OS#4756
Change-Id: I79596803f7dab6f21b58bfe39c2af65d9c5b39d5
diff --git a/src/gprs_rlcmac_ts_alloc.cpp b/src/gprs_rlcmac_ts_alloc.cpp
index 836dab5..496d19b 100644
--- a/src/gprs_rlcmac_ts_alloc.cpp
+++ b/src/gprs_rlcmac_ts_alloc.cpp
@@ -896,8 +896,6 @@
if (rc < 0)
return -EINVAL;
- first_ts = ffs(rc) - 1;
-
/* Step 3b: Derive the slot set for a given direction */
if (tbf->direction == GPRS_RLCMAC_DL_TBF) {
dl_slots = rc;
@@ -914,6 +912,7 @@
update_slot_counters(ul_slots, reserved_ul_slots, &slotcount, &avail_count);
}
+ first_ts = ffs(rc) - 1;
first_common_ts = ffs(dl_slots & ul_slots) - 1;
if (first_common_ts < 0) {