Project

General

Profile

Actions
Copy link

Bug #6100

closed

nacc_fsm: uninitialized neigh_key variable

Added by dexter 9 months ago. Updated 9 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
dexter
Target version:
-
Start date:
07/19/2023
Due date:
% Done:

100%

Spec Reference:

Description

The neigh_key variable in handle_retrans_pkt_cell_chg_notif() is used uninitialized.

There is never data written to it, but it should contain the neighbor key information from the previous message (we are detecting a resend/dup here).
The neigh_key variable is used with neigh_cache_entry_key_eq() at the bottom on the function, but all neigh_cache_entry_key_eq() does is a comparison, it does not put valid values into neigh_key.
Then when neigh_key is detected as different from the neigh_key information in ctx.
The neigh_key information in ctx is overwritten with the (invalid) contents of the uninitialized neigh_key variable. This cannot work and needs fixing.

(change I96280f0ec5955ed3cb17641bf4118496c929bdac did not introduce the problem)

** CID 322150:    (UNINIT)
/source-Osmocom/osmo-pcu/src/nacc_fsm.c: 409 in handle_retrans_pkt_cell_chg_notif()
/source-Osmocom/osmo-pcu/src/nacc_fsm.c: 409 in handle_retrans_pkt_cell_chg_notif()

________________________________________________________________________________________________________
*** CID 322150:    (UNINIT)
/source-Osmocom/osmo-pcu/src/nacc_fsm.c: 408 in handle_retrans_pkt_cell_chg_notif()
402              * section 8c.6.1. */
403             nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE);
404             return;
405         }
406     
407         /* If tgt cell changed, restart resolving it */
>>>     CID 322150:    (UNINIT)
>>>     Using uninitialized value "neigh_key.tgt_arfcn" when calling "neigh_cache_entry_key_eq".
408         if (!neigh_cache_entry_key_eq(&ctx->neigh_key, &neigh_key)) {
409             ctx->neigh_key = neigh_key;
410             nacc_fsm_state_chg(ctx->fi, NACC_ST_WAIT_RESOLVE_RAC_CI);
411         }
412         /* else: ignore it, it's a dup, carry on what we were doing */
413     }
/source-Osmocom/osmo-pcu/src/nacc_fsm.c: 409 in handle_retrans_pkt_cell_chg_notif()
403             nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE);
404             return;
405         }
406     
407         /* If tgt cell changed, restart resolving it */
408         if (!neigh_cache_entry_key_eq(&ctx->neigh_key, &neigh_key)) {
>>>     CID 322150:    (UNINIT)
>>>     Using uninitialized value "neigh_key". Field "neigh_key.tgt_bsic" is uninitialized.
409             ctx->neigh_key = neigh_key;
410             nacc_fsm_state_chg(ctx->fi, NACC_ST_WAIT_RESOLVE_RAC_CI);
411         }
412         /* else: ignore it, it's a dup, carry on what we were doing */
413     }
414     
/source-Osmocom/osmo-pcu/src/nacc_fsm.c: 409 in handle_retrans_pkt_cell_chg_notif()
403             nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE);
404             return;
405         }
406     
407         /* If tgt cell changed, restart resolving it */
408         if (!neigh_cache_entry_key_eq(&ctx->neigh_key, &neigh_key)) {
>>>     CID 322150:    (UNINIT)
>>>     Using uninitialized value "neigh_key". Field "neigh_key.tgt_arfcn" is uninitialized.
409             ctx->neigh_key = neigh_key;
410             nacc_fsm_state_chg(ctx->fi, NACC_ST_WAIT_RESOLVE_RAC_CI);
411         }
412         /* else: ignore it, it's a dup, carry on what we were doing */
413     }
414     
/source-Osmocom/osmo-pcu/src/nacc_fsm.c: 408 in handle_retrans_pkt_cell_chg_notif()
402              * section 8c.6.1. */
403             nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE);
404             return;
405         }
406     
407         /* If tgt cell changed, restart resolving it */
>>>     CID 322150:    (UNINIT)
>>>     Using uninitialized value "neigh_key.local_lac" when calling "neigh_cache_entry_key_eq".
408         if (!neigh_cache_entry_key_eq(&ctx->neigh_key, &neigh_key)) {
409             ctx->neigh_key = neigh_key;
410             nacc_fsm_state_chg(ctx->fi, NACC_ST_WAIT_RESOLVE_RAC_CI);
411         }
412         /* else: ignore it, it's a dup, carry on what we were doing */
413     }
/source-Osmocom/osmo-pcu/src/nacc_fsm.c: 408 in handle_retrans_pkt_cell_chg_notif()
402              * section 8c.6.1. */
403             nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE);
404             return;
405         }
406     
407         /* If tgt cell changed, restart resolving it */
>>>     CID 322150:    (UNINIT)
>>>     Using uninitialized value "neigh_key.tgt_bsic" when calling "neigh_cache_entry_key_eq".
408         if (!neigh_cache_entry_key_eq(&ctx->neigh_key, &neigh_key)) {
409             ctx->neigh_key = neigh_key;
410             nacc_fsm_state_chg(ctx->fi, NACC_ST_WAIT_RESOLVE_RAC_CI);
411         }
412         /* else: ignore it, it's a dup, carry on what we were doing */
413     }
Actions
Copy link
 #1

Updated by pespin 9 months ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by dexter 9 months ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 90

I have fixed the problem now in the following patch:
https://gerrit.osmocom.org/c/osmo-pcu/+/33844 nacc_fsm: fix uninitialized neigh_key variable

(I didn't see that at first, but the problem was indeed introduced by I96280f0ec5955ed3cb17641bf4118496c929bdac)

Actions
Copy link
 #3

Updated by dexter 9 months ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100

The fix is merged, so we can close this now.

Actions
Copy link

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)