PentHertz
/
srsLTE
mirror of https://github.com/PentHertz/srsLTE.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ue_cell_search_nbiot: fix potential out-of-bounds access 

we've used a macro that can return -1 as access index
for an array. this has now been converted in a member
that is initialized and checked during init
This commit is contained in:
Andre Puschmann 2020-05-06 15:34:57 +02:00
parent d64fa19321
commit 9648e47eb6
2 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/include/srslte/phy/ue/ue_cell_search_nbiot.h
View File

@ -53,6 +53,7 @@ typedef struct SRSLTE_API {
*/
typedef struct SRSLTE_API {
srslte_nbiot_ue_sync_t ue_sync;
int32_t sf_len;
cf_t* rx_buffer[SRSLTE_MAX_CHANNELS];
cf_t* nsss_buffer;

13
lib/src/phy/ue/ue_cell_search_nbiot.c
View File

@ -41,6 +41,11 @@ int srslte_ue_cellsearch_nbiot_init(srslte_ue_cellsearch_nbiot_t* q,
ret = SRSLTE_ERROR;
bzero(q, sizeof(srslte_ue_cellsearch_nbiot_t));
q->sf_len = SRSLTE_SF_LEN_PRB_NBIOT;
if (q->sf_len < 0) {
return ret;
}
if (srslte_ue_sync_nbiot_init_multi(
&q->ue_sync, SRSLTE_NBIOT_MAX_PRB, recv_callback, SRSLTE_NBIOT_NUM_RX_ANTENNAS, stream_handler)) {
fprintf(stderr, "Error initiating ue_sync\n");
@ -48,7 +53,7 @@ int srslte_ue_cellsearch_nbiot_init(srslte_ue_cellsearch_nbiot_t* q,
}
for (uint32_t i = 0; i < SRSLTE_NBIOT_NUM_RX_ANTENNAS; i++) {
q->rx_buffer[i] = srslte_vec_cf_malloc(SRSLTE_NOF_SF_X_FRAME * SRSLTE_SF_LEN_PRB_NBIOT);
q->rx_buffer[i] = srslte_vec_cf_malloc(SRSLTE_NOF_SF_X_FRAME * q->sf_len);
if (!q->rx_buffer[i]) {
perror("malloc");
goto clean_exit;
@ -56,7 +61,7 @@ int srslte_ue_cellsearch_nbiot_init(srslte_ue_cellsearch_nbiot_t* q,
}
// buffer to hold subframes for NSSS detection
q->nsss_buffer = srslte_vec_cf_malloc(SRSLTE_NSSS_NUM_SF_DETECT * SRSLTE_SF_LEN_PRB_NBIOT);
q->nsss_buffer = srslte_vec_cf_malloc(SRSLTE_NSSS_NUM_SF_DETECT * q->sf_len);
if (!q->nsss_buffer) {
perror("malloc");
goto clean_exit;
@ -121,9 +126,7 @@ int srslte_ue_cellsearch_nbiot_scan(srslte_ue_cellsearch_nbiot_t* q)
DEBUG("In tracking state sf_idx=%d\n", srslte_ue_sync_nbiot_get_sfidx(&q->ue_sync));
if (srslte_ue_sync_nbiot_get_sfidx(&q->ue_sync) == 9) {
// accumulate NSSS subframes for cell id detection
memcpy(&q->nsss_buffer[q->nsss_sf_counter * SRSLTE_SF_LEN_PRB_NBIOT],
q->rx_buffer[0],
SRSLTE_SF_LEN_PRB_NBIOT * sizeof(cf_t));
srslte_vec_cf_copy(&q->nsss_buffer[q->nsss_sf_counter * q->sf_len], q->rx_buffer[0], q->sf_len);
q->nsss_sf_counter++;
if (q->nsss_sf_counter == SRSLTE_NSSS_NUM_SF_DETECT) {
DEBUG("Captured %d subframes for NSSS detection.\n", q->nsss_sf_counter);