fix: handle NULL return of as_dl_tbf() and as_ul_tbf()
Go through all callers of as_dl_tbf() and as_ul_tbf(), and make sure
they can handle the possible NULL return value.
OS#5205 reports a NULL deref crash of osmo-pcu at pdch.cpp:525. The
immediate cause is that as_dl_tbf() may well return NULL, which this
caller does not handle and instead dereferences immediately.
This is a code path that apparently assumes that a DL-TBF should always
be present. The higher level cause for the NULL DL-TBF has not been
identified.
Related: OS#5205 SYS#5561
Change-Id: I8ce21be6836549b47a606c00b793d6f005964c5c
diff --git a/src/bts.cpp b/src/bts.cpp
index a91fe8d..b5fdfee 100644
--- a/src/bts.cpp
+++ b/src/bts.cpp
@@ -1162,22 +1162,21 @@
{
struct gprs_rlcmac_pdch *pdch = &bts->trx[trx_no].pdch[ts];
struct pdch_ulc_node *poll = pdch_ulc_get_node(pdch->ulc, fn);
- struct gprs_rlcmac_ul_tbf *tbf;
+ struct gprs_rlcmac_ul_tbf *ul_tbf = as_ul_tbf(poll->tbf_poll.poll_tbf);
if (!poll || poll->type !=PDCH_ULC_NODE_TBF_POLL ||
poll->tbf_poll.poll_tbf->direction != GPRS_RLCMAC_UL_TBF)
LOGP(DL1IF, LOGL_DEBUG, "[%s] update TA = %u ignored due to "
"unknown UL TBF on TRX = %d, TS = %d, FN = %d\n",
p, ta, trx_no, ts, fn);
- else {
- tbf = as_ul_tbf(poll->tbf_poll.poll_tbf);
+ else if (ul_tbf) {
/* we need to distinguish TA information provided by L1
* from PH-DATA-IND and PHY-RA-IND so that we can properly
* update TA for given TBF
*/
if (is_rach)
- set_tbf_ta(tbf, (uint8_t)ta);
+ set_tbf_ta(ul_tbf, (uint8_t)ta);
else
- update_tbf_ta(tbf, ta);
+ update_tbf_ta(ul_tbf, ta);
}
}