fix mem leaks in RRC after ASN1 unpacking failed

2019-04-29 11:48:01 +02:00 · 2019-04-29 11:48:01 +02:00 · 507e2deaa3
parent 3842beab0f
commit 507e2deaa3
1 changed files with 22 additions and 8 deletions
--- a/srsue/src/upper/rrc.cc
+++ b/srsue/src/upper/rrc.cc
@ -1956,20 +1956,25 @@ void rrc::handle_sib13()
 *
 *
 *******************************************************************************/
-void rrc::write_pdu_pcch(byte_buffer_t *pdu) {
+void rrc::write_pdu_pcch(byte_buffer_t* pdu)
+{
  cmd_msg_t msg;
  msg.pdu = pdu;
  msg.command = cmd_msg_t::PCCH;
  cmd_q.push(msg);
 }

-void rrc::process_pcch(byte_buffer_t *pdu) {
+void rrc::process_pcch(byte_buffer_t* pdu)
+{
  if (pdu->N_bytes > 0 && pdu->N_bytes < SRSLTE_MAX_BUFFER_SIZE_BITS) {
    pcch_msg_s    pcch_msg;
    asn1::bit_ref bref(pdu->msg, pdu->N_bytes);
-    pcch_msg.unpack(bref);
+    if (pcch_msg.unpack(bref) != asn1::SRSASN_SUCCESS) {
+      rrc_log->error("Failed to unpack PCCH message\n");
+      goto exit;
+    }
+
    log_rrc_message("PCCH", Rx, pdu, pcch_msg);
-    pool->deallocate(pdu);

    paging_s* paging = &pcch_msg.msg.c1().paging();
    if (paging->paging_record_list.size() > ASN1_RRC_MAX_PAGE_REC) {
@ -1978,7 +1983,7 @@ void rrc::process_pcch(byte_buffer_t *pdu) {

    if (not ue_identity_configured) {
      rrc_log->warning("Received paging message but no ue-Identity is configured\n");
-      return;
+      goto exit;
    }

    s_tmsi_s* s_tmsi_paged;
@ -2010,7 +2015,11 @@ void rrc::process_pcch(byte_buffer_t *pdu) {
        rrc_log->error("While obtaining SIBs of serving cell.\n");
      }
    }
+  } else {
+    rrc_log->error_hex(pdu->buffer, pdu->N_bytes, "Dropping PCCH message with %d B\n", pdu->N_bytes);
  }
+exit:
+  pool->deallocate(pdu);
 }

 void rrc::write_pdu_mch(uint32_t lcid, srslte::byte_buffer_t *pdu)
@ -2019,14 +2028,17 @@ void rrc::write_pdu_mch(uint32_t lcid, srslte::byte_buffer_t *pdu)
    //TODO: handle MCCH notifications and update MCCH
    if(0 == lcid && !serving_cell->has_mcch) {
      asn1::bit_ref bref(pdu->msg, pdu->N_bytes);
-      serving_cell->mcch.unpack(bref);
+      if (serving_cell->mcch.unpack(bref) != asn1::SRSASN_SUCCESS) {
+        rrc_log->error("Failed to unpack MCCH message\n");
+        goto exit;
+      }
      serving_cell->has_mcch = true;
      phy->set_config_mbsfn_mcch(&serving_cell->mcch);
      log_rrc_message("MCH", Rx, pdu, serving_cell->mcch);
    }
-
-    pool->deallocate(pdu);
  }
+exit:
+  pool->deallocate(pdu);
 }


@ -2112,6 +2124,7 @@ void rrc::write_pdu(uint32_t lcid, byte_buffer_t* pdu)
    asn1::rrc::dl_ccch_msg_s dl_ccch_msg;
    if (dl_ccch_msg.unpack(bref) != asn1::SRSASN_SUCCESS) {
      rrc_log->error("Failed to unpack DL-CCCH message\n");
+      pool->deallocate(pdu);
      return;
    }
    if (dl_ccch_msg.msg.c1().type() == dl_ccch_msg_type_c::c1_c_::types::rrc_conn_setup) {
@ -2206,6 +2219,7 @@ void rrc::parse_dl_dcch(uint32_t lcid, byte_buffer_t* pdu)
  asn1::rrc::dl_dcch_msg_s dl_dcch_msg;
  if (dl_dcch_msg.unpack(bref) != asn1::SRSASN_SUCCESS) {
    rrc_log->error("Failed to unpack DL-DCCH message\n");
+    pool->deallocate(pdu);
    return;
  }
  log_rrc_message(get_rb_name(lcid).c_str(), Rx, pdu, dl_dcch_msg);