From 47654af7171e64a32c75f13a84d2cfc74fcb4d98 Mon Sep 17 00:00:00 2001
From: Andre Puschmann <andre@softwareradiosystems.com>
Date: Thu, 18 Mar 2021 18:41:55 +0100
Subject: [PATCH] pdcp_entity_lte: fix printf formatter for size_t

we've seen a heap-buffer overflow in fmt because printf wasn't using
the right formtter for size_t, which should be %zu

this patch fixes it for the PDCP LTE entity but we might have it elsewhere too

[1m[31m==7595==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000e6f1fc at pc 0x562273a45289 bp 0x7f35567641f0 sp 0x7f35567641e0
[1m[0m[1m[34mREAD of size 4 at 0x629000e6f1fc thread T12 (STACK)[1m[0m
    0 0x562273a45288 in fmt::v7::basic_format_arg<fmt::v7::basic_printf_context<std::back_insert_iterator<fmt::v7::detail::buffer<char> >, char> > fmt::v7::detail::make_arg<fmt::v7::basic_printf_context<std::back_insert_iterator<fmt::v7::detail::buffer<char> >, char>, unsigned int>(unsigned int const&) (/osmo-gsm-tester-srsue/srslte/bin/srsue+0x9dc288)
    1 0x562273a3aa86 in void fmt::v7::dynamic_format_arg_store<fmt::v7::basic_printf_context<std::back_insert_iterator<fmt::v7::detail::buffer<char> >, char> >::emplace_arg<unsigned int>(unsigned int const&) (/osmo-gsm-tester-srsue/srslte/bin/srsue+0x9d1a86)
    2 0x562273a308e7 in void fmt::v7::dynamic_format_arg_store<fmt::v7::basic_printf_context<std::back_insert_iterator<fmt::v7::detail::buffer<char> >, char> >::push_back<unsigned int>(unsigned int const&) /mnt/data/jenkins/workspace/srslte_ogt_trial_builder_x86-ubuntu1804-asan/srsLTE/lib/include/srslte/srslog/bundled/fmt/core.h:1548
    3 0x562274361541 in void srslog::log_channel::operator()<unsigned int&, unsigned int&, unsigned long>(char const*, unsigned int&, unsigned int&, unsigned long&&) /mnt/data/jenkins/workspace/srslte_ogt_trial_builder_x86-ubuntu1804-asan/srsLTE/lib/include/srslte/srslog/log_channel.h:101
    4 0x56227430d9e7 in srslte::pdcp_entity_lte::update_rx_counts_queue(unsigned int) /mnt/data/jenkins/workspace/srslte_ogt_trial_builder_x86-ubuntu1804-asan/srsLTE/lib/src/upper/pdcp_entity_lte.cc:451
---
 lib/src/upper/pdcp_entity_lte.cc | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/src/upper/pdcp_entity_lte.cc b/lib/src/upper/pdcp_entity_lte.cc
index 68ed25c94..4b6d98965 100644
--- a/lib/src/upper/pdcp_entity_lte.cc
+++ b/lib/src/upper/pdcp_entity_lte.cc
@@ -439,7 +439,7 @@ void pdcp_entity_lte::update_rx_counts_queue(uint32_t rx_count)
   // If the size of the rx_vector_info is getting very large
   // Consider the FMC as lost and update the vector.
   if (rx_counts_info.size() > reordering_window) {
-    logger.debug("Queue too large. Updating. Old FMC=%d, Old back=%d, old queue_size=%d",
+    logger.debug("Queue too large. Updating. Old FMC=%d, Old back=%d, old queue_size=%zu",
                  fmc,
                  rx_counts_info.back(),
                  rx_counts_info.size());
@@ -448,16 +448,16 @@ void pdcp_entity_lte::update_rx_counts_queue(uint32_t rx_count)
       rx_counts_info.pop_back();
       fmc++;
     }
-    logger.debug("Queue too large. Updating. New FMC=%d, new back=%d, new queue_size=%d",
+    logger.debug("Queue too large. Updating. New FMC=%d, new back=%d, new queue_size=%zu",
                  fmc,
                  rx_counts_info.back(),
                  rx_counts_info.size());
   }
 
   if (rx_counts_info.empty()) {
-    logger.info("Updated RX_COUNT info with SDU COUNT=%d, queue_size=%d, FMC=%d", rx_count, rx_counts_info.size(), fmc);
+    logger.info("Updated RX_COUNT info with SDU COUNT=%d, queue_size%zu, FMC=%d", rx_count, rx_counts_info.size(), fmc);
   } else {
-    logger.info("Updated RX_COUNT info with SDU COUNT=%d, queue_size=%d, FMC=%d, back=%d",
+    logger.info("Updated RX_COUNT info with SDU COUNT=%d, queue_size=%zu, FMC=%d, back=%d",
                 rx_count,
                 rx_counts_info.size(),
                 fmc,
@@ -707,7 +707,7 @@ void pdcp_entity_lte::notify_delivery(const pdcp_sn_vector_t& pdcp_sns)
     return;
   }
 
-  logger.info("Received delivery notification from RLC. Number of PDU notified=%ld", pdcp_sns.size());
+  logger.info("Received delivery notification from RLC. Number of PDU notified=%zu", pdcp_sns.size());
   for (uint32_t sn : pdcp_sns) {
     logger.debug("Delivery notification received for PDU with SN=%d", sn);
     if (sn == UINT32_MAX) {
@@ -737,7 +737,7 @@ void pdcp_entity_lte::notify_failure(const pdcp_sn_vector_t& pdcp_sns)
     return;
   }
 
-  logger.info("Received failure notification from RLC. Number of PDU notified=%ld", pdcp_sns.size());
+  logger.info("Received failure notification from RLC. Number of PDU notified=%zu", pdcp_sns.size());
 
   for (uint32_t sn : pdcp_sns) {
     logger.info("Failure notification received for PDU with SN=%d", sn);
@@ -800,7 +800,7 @@ std::map<uint32_t, srslte::unique_byte_buffer_t> pdcp_entity_lte::get_buffered_p
     logger.error("Buffered PDUs being requested for non-AM DRB");
     return std::map<uint32_t, srslte::unique_byte_buffer_t>{};
   }
-  logger.info("Buffered PDUs requested, buffer_size=%d", undelivered_sdus->size());
+  logger.info("Buffered PDUs requested, buffer_size=%zu", undelivered_sdus->size());
   return undelivered_sdus->get_buffered_sdus();
 }