From 19f30aa65258dfc58c5a5b4f444c6ba984b8969f Mon Sep 17 00:00:00 2001
From: Andre Puschmann <andre@softwareradiosystems.com>
Date: Fri, 11 Jun 2021 12:26:42 +0200
Subject: [PATCH] rlc_am_lte: fix handling of out-of-order status PDUs

before processing incoming status PDUs we should be checking
if the ACK_SN falls within our current Tx window. If not the PDU
will be dropped.

Without the check we were incorrectly processing the status PDU
and because the sequence number wrap around wasn't working
correctly if ACK_SN is smaller than vt_a we were corrupting
our Tx window.
---
 lib/src/upper/rlc_am_lte.cc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/src/upper/rlc_am_lte.cc b/lib/src/upper/rlc_am_lte.cc
index 25f10284d..afa6c511d 100644
--- a/lib/src/upper/rlc_am_lte.cc
+++ b/lib/src/upper/rlc_am_lte.cc
@@ -1189,6 +1189,16 @@ void rlc_am_lte::rlc_am_lte_tx::handle_control_pdu(uint8_t* payload, uint32_t no
     retx_queue.clear();
   }
 
+  // make sure ACK_SN is within our Tx window
+  if ((MOD + status.ack_sn - vt_a) % MOD > RLC_AM_WINDOW_SIZE) {
+    logger.error("%s Received invalid status PDU (ack_sn=%d < vt_a=%d). Dropping PDU.", RB_NAME, status.ack_sn, vt_a);
+    return;
+  }
+  if ((MOD + vt_s - status.ack_sn) % MOD > RLC_AM_WINDOW_SIZE) {
+    logger.error("%s Received invalid status PDU (ack_sn=%d > vt_s=%d). Dropping PDU.", RB_NAME, status.ack_sn, vt_s);
+    return;
+  }
+
   // Handle ACKs and NACKs
   bool     update_vt_a = true;
   uint32_t i           = vt_a;