From a88c33b148255657bec3d66d7bb2dec8752ab3b8 Mon Sep 17 00:00:00 2001
From: Laurent THOMAS <laurent.thomas@open-cells.com>
Date: Mon, 21 Jun 2021 12:56:57 +0200
Subject: [PATCH] fix array overflow and wrong LCID
---
openair1/PHY/NR_TRANSPORT/nr_dlsch_coding.c | 3 +++
openair2/COMMON/f1ap_messages_types.h | 2 +-
openair2/F1AP/f1ap_du_rrc_message_transfer.c | 2 +-
openair2/F1AP/f1ap_du_rrc_message_transfer.h | 2 +-
openair2/F1AP/f1ap_du_task.c | 2 +-
openair2/LAYER2/NR_MAC_UE/nr_ue_scheduler.c | 25 ++++++-------------
.../LAYER2/NR_MAC_gNB/gNB_scheduler_ulsch.c | 4 +++
openair2/RRC/LTE/rrc_eNB_GTPV1U.c | 2 +-
openair2/RRC/NR/L2_nr_interface.c | 2 --
openair2/RRC/NR/MESSAGES/asn1_msg.c | 2 +-
openair3/ocp-gtpu/gtp_itf.cpp | 9 +++++--
11 files changed, 27 insertions(+), 28 deletions(-)
diff --git a/openair1/PHY/NR_TRANSPORT/nr_dlsch_coding.c b/openair1/PHY/NR_TRANSPORT/nr_dlsch_coding.c
index e75a3225e5a..e1b5e7d5866 100644
--- a/openair1/PHY/NR_TRANSPORT/nr_dlsch_coding.c
+++ b/openair1/PHY/NR_TRANSPORT/nr_dlsch_coding.c
@@ -44,6 +44,7 @@
#include "common/utils/LOG/vcd_signal_dumper.h"
#include "common/utils/LOG/log.h"
#include <syscall.h>
+#include <openair2/UTIL/OPT/opt.h>
//#define DEBUG_DLSCH_CODING
//#define DEBUG_DLSCH_FREE 1
@@ -266,6 +267,8 @@ int nr_dlsch_encoding(PHY_VARS_gNB *gNB,
VCD_SIGNAL_DUMPER_DUMP_FUNCTION_BY_NAME(VCD_SIGNAL_DUMPER_FUNCTIONS_gNB_DLSCH_ENCODING, VCD_FUNCTION_IN);
A = rel15->TBSize[0]<<3;
+ if ( dlsch->rnti != SI_RNTI )
+ trace_NRpdu(DIRECTION_DOWNLINK, a, rel15->TBSize[0], 0, WS_C_RNTI, dlsch->rnti, frame, slot,0, 0);
NR_gNB_SCH_STATS_t *stats=NULL;
int first_free=-1;
diff --git a/openair2/COMMON/f1ap_messages_types.h b/openair2/COMMON/f1ap_messages_types.h
index ecfde8d38bd..c2fb4a9cf7b 100644
--- a/openair2/COMMON/f1ap_messages_types.h
+++ b/openair2/COMMON/f1ap_messages_types.h
@@ -299,7 +299,7 @@ typedef struct f1ap_initial_ul_rrc_message_s {
uint16_t crnti;
uint8_t *rrc_container;
int rrc_container_length;
- uint8_t *du2cu_rrc_container;
+ int8_t *du2cu_rrc_container;
int du2cu_rrc_container_length;
} f1ap_initial_ul_rrc_message_t;
diff --git a/openair2/F1AP/f1ap_du_rrc_message_transfer.c b/openair2/F1AP/f1ap_du_rrc_message_transfer.c
index 92ce430bca1..00392c07a7b 100644
--- a/openair2/F1AP/f1ap_du_rrc_message_transfer.c
+++ b/openair2/F1AP/f1ap_du_rrc_message_transfer.c
@@ -799,7 +799,7 @@ int DU_send_INITIAL_UL_RRC_MESSAGE_TRANSFER(module_id_t module_idP,
rnti_t rntiP,
const uint8_t *sduP,
sdu_size_t sdu_lenP,
- const uint8_t *sdu2P,
+ const int8_t *sdu2P,
sdu_size_t sdu2_lenP) {
F1AP_F1AP_PDU_t pdu;
F1AP_InitialULRRCMessageTransfer_t *out;
diff --git a/openair2/F1AP/f1ap_du_rrc_message_transfer.h b/openair2/F1AP/f1ap_du_rrc_message_transfer.h
index 0bb6371fe80..bb2bf020b8f 100644
--- a/openair2/F1AP/f1ap_du_rrc_message_transfer.h
+++ b/openair2/F1AP/f1ap_du_rrc_message_transfer.h
@@ -50,7 +50,7 @@ int DU_send_INITIAL_UL_RRC_MESSAGE_TRANSFER(module_id_t module_idP,
rnti_t rntiP,
const uint8_t *sduP,
sdu_size_t sdu_lenP,
- const uint8_t *sdu2P,
+ const int8_t *sdu2P,
sdu_size_t sdu2_lenP);
#endif /* F1AP_DU_RRC_MESSAGE_TRANSFER_H_ */
diff --git a/openair2/F1AP/f1ap_du_task.c b/openair2/F1AP/f1ap_du_task.c
index 726d5629f8a..676aba54a21 100644
--- a/openair2/F1AP/f1ap_du_task.c
+++ b/openair2/F1AP/f1ap_du_task.c
@@ -190,7 +190,7 @@ void *F1AP_DU_task(void *arg) {
DU_send_INITIAL_UL_RRC_MESSAGE_TRANSFER(0,0,0,msg->crnti,
msg->rrc_container,
msg->rrc_container_length,
- msg->du2cu_rrc_container,
+ (char*)msg->du2cu_rrc_container,
msg->du2cu_rrc_container_length
);
break;
diff --git a/openair2/LAYER2/NR_MAC_UE/nr_ue_scheduler.c b/openair2/LAYER2/NR_MAC_UE/nr_ue_scheduler.c
index 1ca5956ee55..2569559d294 100644
--- a/openair2/LAYER2/NR_MAC_UE/nr_ue_scheduler.c
+++ b/openair2/LAYER2/NR_MAC_UE/nr_ue_scheduler.c
@@ -1012,7 +1012,7 @@ NR_UE_L2_STATE_t nr_ue_scheduler(nr_downlink_indication_t *dl_info, nr_uplink_in
//Give the first byte a dummy value (a value not corresponding to any valid LCID based on 38.321, Table 6.2.1-2)
//in order to distinguish the PHY random packets at the MAC layer of the gNB receiver from the normal packets that should
//have a valid LCID (nr_process_mac_pdu function)
- ulsch_input_buffer[0] = 0x31;
+ ulsch_input_buffer[0] = UL_SCH_LCID_PADDING;
for (int i = 1; i < TBS_bytes; i++) {
ulsch_input_buffer[i] = (unsigned char) rand();
@@ -1914,6 +1914,7 @@ void nr_ue_prach_scheduler(module_id_t module_idP, frame_t frameP, sub_frame_t s
} // if is_nr_UL_slot
}
+#define MAX_LCID 8 //Fixme: also defined in LCID table
uint8_t
nr_ue_get_sdu(module_id_t module_idP, int CC_id, frame_t frameP,
sub_frame_t subframe, uint8_t eNB_index,
@@ -1921,16 +1922,15 @@ nr_ue_get_sdu(module_id_t module_idP, int CC_id, frame_t frameP,
uint8_t total_rlc_pdu_header_len = 0;
int16_t buflen_remain = 0;
uint8_t lcid = 0;
- uint16_t sdu_lengths[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
- uint8_t sdu_lcids[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+ uint16_t sdu_lengths[MAX_LCID] = { 0 };
+ uint8_t sdu_lcids[MAX_LCID] = { 0 };
uint16_t payload_offset = 0, num_sdus = 0;
uint8_t ulsch_sdus[MAX_ULSCH_PAYLOAD_BYTES];
uint16_t sdu_length_total = 0;
//unsigned short post_padding = 0;
NR_UE_MAC_INST_t *mac = get_mac_inst(module_idP);
- rlc_buffer_occupancy_t lcid_buffer_occupancy_old =
- 0, lcid_buffer_occupancy_new = 0;
+ rlc_buffer_occupancy_t lcid_buffer_occupancy_new = 0;
LOG_D(NR_MAC,
"[UE %d] MAC PROCESS UL TRANSPORT BLOCK at frame%d subframe %d TBS=%d\n",
module_idP, frameP, subframe, buflen);
@@ -1940,12 +1940,9 @@ nr_ue_get_sdu(module_id_t module_idP, int CC_id, frame_t frameP,
// Check for DCCH first
// TO DO: Multiplex in the order defined by the logical channel prioritization
for (lcid = UL_SCH_LCID_SRB1;
- lcid < NR_MAX_NUM_LCID; lcid++) {
+ lcid < MAX_LCID; lcid++) {
- lcid_buffer_occupancy_old = mac_rlc_get_buffer_occupancy_ind(module_idP, mac->crnti, eNB_index, frameP, subframe, ENB_FLAG_NO, lcid);
- lcid_buffer_occupancy_new = lcid_buffer_occupancy_old;
-
- if(lcid_buffer_occupancy_new){
+ if( mac_rlc_get_buffer_occupancy_ind(module_idP, mac->crnti, eNB_index, frameP, subframe, ENB_FLAG_NO, lcid) ) {
buflen_remain =
buflen - (total_rlc_pdu_header_len + sdu_length_total + MAX_RLC_SDU_SUBHEADER_SIZE);
@@ -1983,14 +1980,6 @@ nr_ue_get_sdu(module_id_t module_idP, int CC_id, frame_t frameP,
num_sdus++;
}
- /* Get updated BO after multiplexing this PDU */
- lcid_buffer_occupancy_new = mac_rlc_get_buffer_occupancy_ind(module_idP,
- mac->crnti,
- eNB_index,
- frameP,
- subframe,
- ENB_FLAG_NO,
- lcid);
buflen_remain =
buflen - (total_rlc_pdu_header_len + sdu_length_total + MAX_RLC_SDU_SUBHEADER_SIZE);
}
diff --git a/openair2/LAYER2/NR_MAC_gNB/gNB_scheduler_ulsch.c b/openair2/LAYER2/NR_MAC_gNB/gNB_scheduler_ulsch.c
index 9affac70f78..9104393f360 100644
--- a/openair2/LAYER2/NR_MAC_gNB/gNB_scheduler_ulsch.c
+++ b/openair2/LAYER2/NR_MAC_gNB/gNB_scheduler_ulsch.c
@@ -32,6 +32,8 @@
#include "LAYER2/NR_MAC_gNB/mac_proto.h"
#include "executables/softmodem-common.h"
#include "common/utils/nr/nr_common.h"
+#include <openair2/UTIL/OPT/opt.h>
+
//38.321 Table 6.1.3.1-1
const uint32_t NR_SHORT_BSR_TABLE[32] = {
@@ -83,6 +85,8 @@ void nr_process_mac_pdu(
LOG_E(NR_MAC, "%s() UE_id == -1\n",__func__);
return;
}
+ trace_NRpdu(DIRECTION_UPLINK, pduP, mac_pdu_len ,UE_id, WS_C_RNTI, rnti, frameP, 0,0, 0);
+
NR_UE_sched_ctrl_t *sched_ctrl = &UE_info->UE_sched_ctrl[UE_id];
// For both DL/UL-SCH
// Except:
diff --git a/openair2/RRC/LTE/rrc_eNB_GTPV1U.c b/openair2/RRC/LTE/rrc_eNB_GTPV1U.c
index 6683d91556f..3bdf4f4e71e 100644
--- a/openair2/RRC/LTE/rrc_eNB_GTPV1U.c
+++ b/openair2/RRC/LTE/rrc_eNB_GTPV1U.c
@@ -249,7 +249,7 @@ boolean_t gtpv_data_req_new (
return result;
} else { /* It is from from epc message */
/* in the source enb, UE in RRC_HO_EXECUTION mode */
- MessageDef *msg;
+ //MessageDef *msg;
// ?????
return true;
}
diff --git a/openair2/RRC/NR/L2_nr_interface.c b/openair2/RRC/NR/L2_nr_interface.c
index 329bc0479f5..5a540f1c66c 100644
--- a/openair2/RRC/NR/L2_nr_interface.c
+++ b/openair2/RRC/NR/L2_nr_interface.c
@@ -44,7 +44,6 @@
#include "NR_BCCH-BCH-Message.h"
#include "rrc_gNB_UE_context.h"
#include <openair2/RRC/NR/MESSAGES/asn1_msg.h>
-#include <openair2/UTIL/OPT/opt.h>
extern RAN_CONTEXT_t RC;
@@ -208,7 +207,6 @@ nr_rrc_data_req(
message_p);
LOG_I(NR_RRC,"send RRC_DCCH_DATA_REQ to PDCP\n");
- //trace_NRpdu(DIRECTION_DOWNLINK, message_buffer, sdu_sizeP, 0, WS_M_RNTI, ctxt_pP->rnti, ctxt_pP->frame, ctxt_pP->subframe,0, 0);
/* Hack: only trigger PDCP if in CU, otherwise it is triggered by RU threads
* Ideally, PDCP would not neet to be triggered like this but react to ITTI
* messages automatically */
diff --git a/openair2/RRC/NR/MESSAGES/asn1_msg.c b/openair2/RRC/NR/MESSAGES/asn1_msg.c
index d2dc25decd7..d257d02070f 100755
--- a/openair2/RRC/NR/MESSAGES/asn1_msg.c
+++ b/openair2/RRC/NR/MESSAGES/asn1_msg.c
@@ -1034,7 +1034,7 @@ void fill_initial_SpCellConfig(rnti_t rnti,
AssertFatal(scc->downlinkConfigCommon->initialDownlinkBWP->genericParameters.subcarrierSpacing==NR_SubcarrierSpacing_kHz30,
"SCS != 30kHz\n");
AssertFatal(scc->tdd_UL_DL_ConfigurationCommon->pattern1.dl_UL_TransmissionPeriodicity==NR_TDD_UL_DL_Pattern__dl_UL_TransmissionPeriodicity_ms5,
- "TDD period != 5ms : %d\n",scc->tdd_UL_DL_ConfigurationCommon->pattern1.dl_UL_TransmissionPeriodicity);
+ "TDD period != 5ms : %ld\n",scc->tdd_UL_DL_ConfigurationCommon->pattern1.dl_UL_TransmissionPeriodicity);
schedulingRequestResourceConfig->periodicityAndOffset->choice.sl40 = 10*((rnti>>1)&3) + (rnti&2);
schedulingRequestResourceConfig->resource = calloc(1,sizeof(*schedulingRequestResourceConfig->resource));
diff --git a/openair3/ocp-gtpu/gtp_itf.cpp b/openair3/ocp-gtpu/gtp_itf.cpp
index ee95787b062..a882bc34c9d 100644
--- a/openair3/ocp-gtpu/gtp_itf.cpp
+++ b/openair3/ocp-gtpu/gtp_itf.cpp
@@ -441,10 +441,15 @@ teid_t newGtpuCreateTunnel(instance_t instance, rnti_t rnti, int bearer_id, teid
tmp->outgoing_port=port;
tmp->teid_outgoing= outgoing_teid;
pthread_mutex_unlock(&globGtp.gtp_lock);
- LOG_I(GTPU, "Created tunnel for RNTI %x, teid for DL: %d, teid for UL %d\n",
+ char ip4[INET_ADDRSTRLEN];
+ char ip6[INET6_ADDRSTRLEN];
+
+ LOG_I(GTPU, "Created tunnel for RNTI %x, teid for DL: %d, teid for UL %d to remote IPv4: %s, IPv6 %s\n",
rnti,
tmp->teid_incoming,
- tmp->teid_outgoing);
+ tmp->teid_outgoing,
+ inet_ntop(AF_INET,(void*)&tmp->outgoing_ip_addr, ip4,INET_ADDRSTRLEN ),
+ inet_ntop(AF_INET6,(void*)&tmp->outgoing_ip6_addr.s6_addr, ip6, INET6_ADDRSTRLEN));
return incoming_teid;
}
--
GitLab