From f5e3049f6376cca927b71542a8edc0487bb9fc36 Mon Sep 17 00:00:00 2001 From: Andre Puschmann Date: Tue, 6 Mar 2018 14:46:50 +0100 Subject: [PATCH] add check for possible buffer pool misallocation in RRC/NAS/GW --- srsue/src/upper/gw.cc | 8 ++++++-- srsue/src/upper/nas.cc | 13 +++++++++++++ srsue/src/upper/rrc.cc | 11 ++++++++--- 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/srsue/src/upper/gw.cc b/srsue/src/upper/gw.cc index 65748f57b..fbf4bca9f 100644 --- a/srsue/src/upper/gw.cc +++ b/srsue/src/upper/gw.cc @@ -242,7 +242,11 @@ void gw::run_thread() struct iphdr *ip_pkt; uint32 idx = 0; int32 N_bytes; - srslte::byte_buffer_t *pdu = pool_allocate; + srslte::byte_buffer_t *pdu = pool_allocate; + if (!pdu) { + gw_log->error("Fatal Error: Couldn't allocate PDU in run_thread().\n"); + return; + } const static uint32_t ATTACH_TIMEOUT_MS = 10000; const static uint32_t ATTACH_MAX_ATTEMPTS = 3; @@ -307,7 +311,7 @@ void gw::run_thread() do { pdu = pool_allocate; if (!pdu) { - printf("Not enough buffers in pool\n"); + gw_log->error("Fatal Error: Couldn't allocate PDU in run_thread().\n"); usleep(100000); } } while(!pdu); diff --git a/srsue/src/upper/nas.cc b/srsue/src/upper/nas.cc index 0a5b597e4..5d766776a 100644 --- a/srsue/src/upper/nas.cc +++ b/srsue/src/upper/nas.cc @@ -812,6 +812,11 @@ void nas::parse_emm_information(uint32_t lcid, byte_buffer_t *pdu) { void nas::send_attach_request() { LIBLTE_MME_ATTACH_REQUEST_MSG_STRUCT attach_req; byte_buffer_t *msg = pool_allocate; + if (!msg) { + nas_log->error("Fatal Error: Couldn't allocate PDU in send_attach_request().\n"); + return; + } + u_int32_t i; attach_req.eps_attach_type = LIBLTE_MME_EPS_ATTACH_TYPE_EPS_ATTACH; @@ -913,6 +918,10 @@ void nas::gen_pdn_connectivity_request(LIBLTE_BYTE_MSG_STRUCT *msg) { void nas::send_security_mode_reject(uint8_t cause) { byte_buffer_t *msg = pool_allocate; + if (!msg) { + nas_log->error("Fatal Error: Couldn't allocate PDU in send_security_mode_reject().\n"); + return; + } LIBLTE_MME_SECURITY_MODE_REJECT_MSG_STRUCT sec_mode_rej; sec_mode_rej.emm_cause = cause; @@ -928,6 +937,10 @@ void nas::send_identity_response() {} void nas::send_service_request() { byte_buffer_t *msg = pool_allocate; + if (!msg) { + nas_log->error("Fatal Error: Couldn't allocate PDU in send_service_request().\n"); + return; + } // Pack the service request message directly msg->msg[0] = (LIBLTE_MME_SECURITY_HDR_TYPE_SERVICE_REQUEST << 4) | (LIBLTE_MME_PD_EPS_MOBILITY_MANAGEMENT); diff --git a/srsue/src/upper/rrc.cc b/srsue/src/upper/rrc.cc index 37ae14e8c..56d0eb6ce 100644 --- a/srsue/src/upper/rrc.cc +++ b/srsue/src/upper/rrc.cc @@ -1265,9 +1265,14 @@ void rrc::handle_rrc_con_reconfig(uint32_t lcid, LIBLTE_RRC_CONNECTION_RECONFIGU byte_buffer_t *nas_sdu; for (i = 0; i < reconfig->N_ded_info_nas; i++) { nas_sdu = pool_allocate; - memcpy(nas_sdu->msg, &reconfig->ded_info_nas_list[i].msg, reconfig->ded_info_nas_list[i].N_bytes); - nas_sdu->N_bytes = reconfig->ded_info_nas_list[i].N_bytes; - nas->write_pdu(lcid, nas_sdu); + if (nas_sdu) { + memcpy(nas_sdu->msg, &reconfig->ded_info_nas_list[i].msg, reconfig->ded_info_nas_list[i].N_bytes); + nas_sdu->N_bytes = reconfig->ded_info_nas_list[i].N_bytes; + nas->write_pdu(lcid, nas_sdu); + } else { + rrc_log->error("Fatal Error: Couldn't allocate PDU in handle_rrc_con_reconfig().\n"); + return; + } } } }