nr-softmodem: fixed invalid length calculation, leading to segfault (!2338) · Merge requests · oai / openairinterface5G

Thomas Dreibholz requested to merge dreibh-trx_usrp_read-memory-access-fix into develop Sep 14, 2023

Fix for segfault issue #681 (closed): trx_usrp_read() may read too many bytes into a fixed-size buffer in case of reading from multiple channels:

Original code:

  samples_received=0;
  while (samples_received != nsamps) {

    if (cc>1) {
      // receive multiple channels (e.g. RF A and RF B)
      std::vector<void *> buff_ptrs;

      for (int i=0; i<cc; i++) buff_ptrs.push_back(buff_tmp[i]+samples_received);
      samples_received += s->rx_stream->recv(buff_ptrs, nsamps, s->rx_md);   // <<--- !!!
    } else {
      // receive a single channel (e.g. from connector RF A)

      samples_received += s->rx_stream->recv((void*)((int32_t*)buff_tmp[0]+samples_received),
                                             nsamps-samples_received, s->rx_md);
    }
    if  ((s->wait_for_first_pps == 0) && (s->rx_md.error_code!=uhd::rx_metadata_t::ERROR_CODE_NONE))
      break;

    if ((s->wait_for_first_pps == 1) && (samples_received != nsamps)) {
      printf("sleep...\n"); //usleep(100);
    }
  }

For reading only one channel, the length given to s->rx_stream->recv is nsamps-samples_received. However, for reading N channels, the length is always nsamps. Since the buffer may have already been incremented by samples_received > 0, this leads to overwriting the stack -> segfault.

This pull request fixes the issue, by reading also only reading nsamps-samples in the multi-channel case.

Admin message

nr-softmodem: fixed invalid length calculation, leading to segfault

Merge request reports