Project

General

Profile

Actions

Bug #6431

open

(coverity) uninitialized asn.1 state / overwriting asn.1 state in HNBAP

Added by neels 16 days ago. Updated 15 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
-
Start date:
04/03/2024
Due date:
% Done:

0%

Spec Reference:

Description

Recent patch improves HNBAP error reporting. https://gerrit.osmocom.org/c/osmo-hnbgw/+/36479
But coverity complains about this pattern:

HNBAP_Cause_t cause;

cause.present = HNBAP_Cause_PR_protocol;
cause.choice.radioNetwork = HNBAP_CauseProtocol_unspecified;
return hnbgw_tx_hnb_register_rej(ctx, &cause);

That's because the internal asn.1 state in cause._asn_ctx is uninitialized.

I'd submit a fix like this, initializing the Cause:

- HNBAP_Cause_t cause;
+ HNBAP_Cause_t cause = {};

The reason I'm creating this issue is
  • to draw attention to the _asn_ctx part.
  • about other uninitialized items.

In hnbgw_tx_hnb_register_rej() we do this:

HNBAP_HNBRegisterRejectIEs_t reject;
reject.cause = *cause;
  • we are overwriting the internal asn.1 state in reject.cause._asn_ctx with uninitialized mem.
  • could there have been important state in there before?
  • hm, 'reject' itself was not initialized at all.

This seems more than just a quick fix, so creating this issue instead of fixing.

Actions #1

Updated by laforge 16 days ago

unless somebody has a better idea and deeper understanding of the inner workings of libasn1c with regard to those _asn1_ctx sub-structures, I suggest to work around the problem by
  • always initializing any variable on the stack (like you suggested)
  • replace constructs like reject.cause = *cause with something that just assigns the two cause members but not the complete cause value.
Actions #2

Updated by laforge 16 days ago

  • Assignee deleted (laforge)

unassigning from me, I'll unlikely have time to work on this for months to come

Actions #3

Updated by neels 15 days ago

  • Assignee set to neels
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)