Commit bc041092 authored by Thomas Schlichter's avatar Thomas Schlichter 🇩🇪
Browse files

NR_UE: always break out of MAC PDU processing after pdu_len Bytes

In case of false positive PDSCH CRC check, a random MAC PDU is processed.
Currently pdu_len is unsigned 16 Bit, so we did break out of the processing loop only if we _exactly_ hit a residual pdu_len of 0, or we hit a LCID of DL_SCH_LCID_PADDING.
If we didn't hit either of these, pdu_len wrapped to a very positive value, and we continued processing the PDU even beyond its bounds!
This behavior was observed with SNR 1 dB and MCS 9.

So better make pdu_len signed and break out of the loop after processing at max. pdu_len Bytes!
parent 14f3d6a7
......@@ -881,7 +881,7 @@ void nr_ue_dlsch_procedures(PHY_VARS_NR_UE *ue,
int harq_pid = dlsch0->current_harq_pid;
int frame_rx = proc->frame_rx;
int nr_slot_rx = proc->nr_slot_rx;
int ret=0, ret1=0;
uint32_t ret = UINT32_MAX, ret1 = UINT32_MAX;
NR_UE_PDSCH *pdsch_vars;
uint16_t dmrs_len = get_num_dmrs(dlsch0->harq_processes[dlsch0->current_harq_pid]->dlDmrsSymbPos);
nr_downlink_indication_t dl_indication;
......@@ -1746,7 +1746,7 @@ void nr_ue_process_mac_pdu(nr_downlink_indication_t *dl_info,
frame_t frameP = dl_info->frame;
int slot = dl_info->slot;
uint8_t *pduP = (dl_info->rx_ind->rx_indication_body + pdu_id)->pdsch_pdu.pdu;
uint16_t pdu_len = (dl_info->rx_ind->rx_indication_body + pdu_id)->pdsch_pdu.pdu_length;
int32_t pdu_len = (dl_info->rx_ind->rx_indication_body + pdu_id)->pdsch_pdu.pdu_length;
uint8_t gNB_index = dl_info->gNB_index;
uint8_t CC_id = dl_info->cc_id;
uint8_t done = 0;
......@@ -1757,7 +1757,7 @@ void nr_ue_process_mac_pdu(nr_downlink_indication_t *dl_info,
LOG_D(MAC, "In %s [%d.%d]: processing PDU %d of %d total number of PDUs...\n", __FUNCTION__, frameP, slot, pdu_id, dl_info->rx_ind->number_pdus);
LOG_D(MAC, "In %s [%d.%d]: processing PDU %d (with length %d) of %d total number of PDUs...\n", __FUNCTION__, frameP, slot, pdu_id, pdu_len, dl_info->rx_ind->number_pdus);
while (!done && pdu_len > 0){
mac_ce_len = 0x0000;
......@@ -1961,7 +1961,7 @@ void nr_ue_process_mac_pdu(nr_downlink_indication_t *dl_info,
pduP += ( mac_subheader_len + mac_ce_len + mac_sdu_len );
pdu_len -= ( mac_subheader_len + mac_ce_len + mac_sdu_len );
if (pdu_len < 0)
LOG_E(MAC, "[MAC] nr_ue_process_mac_pdu, residual mac pdu length %d < 0!\n", pdu_len);
LOG_E(MAC, "[UE %d][%d.%d] nr_ue_process_mac_pdu, residual mac pdu length %d < 0!\n", module_idP, frameP, slot, pdu_len);
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment