From 024152683646f1b68c85de74f783b81db51d16b5 Mon Sep 17 00:00:00 2001
From: Neels Hofmeyr <nhofmeyr@sysmocom.de>
Date: Fri, 2 Sep 2016 02:15:26 +0200
Subject: Fix CSN1 decoding: CSN_LEFT_ALIGNED_VAR_BMP bounds

Fix attempted read past vector boundaries in case of a starting bit offset !=
0, so that the last amount of bits read should be < 8. In the case of
CSN_LEFT_ALIGNED_VAR_BMP, the mod-8 calculation was flawed, and in the final
step, 8 bits were read instead of the remainder < 8. This lead to -EINVAL being
returned by bitvec_get_bit_pos() and bogus resulting data.

Instead, read 8 bits only as long as at least 8 bits remain, and read any
remaining bits < 8 in a final step. Drop unneeded nB1 variable and an obvious
comment.

Adjust the unit test assertion in testCsnLeftAlignedVarBmpBounds() in
RLCMACTest.cpp.

Based on a fix by Aravind Sirsikar <Arvind.Sirsikar@radisys.com>, but
implemented differently.

Related: OS#1805
Change-Id: I490498c8da6b531f54acb673379379f7b10907c0
---
 src/csn1.cpp                | 11 +++++------
 tests/rlcmac/RLCMACTest.cpp |  7 +------
 2 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/src/csn1.cpp b/src/csn1.cpp
index d51fe83e..a1698a58 100644
--- a/src/csn1.cpp
+++ b/src/csn1.cpp
@@ -1110,22 +1110,21 @@ csnStreamDecoder(csnStream_t* ar, const CSN_DESCR* pDescr, bitvec *vector, unsig
 
           { /* extract bits */
             guint8* pui8 = pui8DATA(data, pDescr->offset);
-            gint16 nB1  = no_of_bits & 0x07;/* no_of_bits Mod 8 */
 
-            while (no_of_bits > 0)
+            while (no_of_bits >= 8)
             {
               *pui8 = bitvec_read_field(vector, readIndex, 8);
               LOGPC(DCSN1, LOGL_NOTICE, "%s = %u | ", pDescr->sz , (unsigned)*pui8);
               pui8++;
               no_of_bits -= 8;
             }
-            if (nB1 > 0)
+            if (no_of_bits > 0)
             { 
-              *pui8 = bitvec_read_field(vector, readIndex, nB1);
+              *pui8 = bitvec_read_field(vector, readIndex, no_of_bits);
               LOGPC(DCSN1, LOGL_NOTICE, "%s = %u | ", pDescr->sz , (unsigned)*pui8);
               pui8++;
-              no_of_bits  -= nB1;
-              bit_offset += nB1; /* (nB1 is no_of_bits Mod 8) */
+              bit_offset += no_of_bits;
+              no_of_bits = 0;
             }
           }
         }
diff --git a/tests/rlcmac/RLCMACTest.cpp b/tests/rlcmac/RLCMACTest.cpp
index f633dd82..97e5e606 100644
--- a/tests/rlcmac/RLCMACTest.cpp
+++ b/tests/rlcmac/RLCMACTest.cpp
@@ -223,13 +223,8 @@ void testCsnLeftAlignedVarBmpBounds()
 		&data.u.Egprs_Packet_Downlink_Ack_Nack.EGPRS_AckNack.Desc;
 	decode_gsm_rlcmac_uplink(vector, &data);
 
-	/*
-	 * TODO: URBB len is decoded as 102 bits. So 96 + 6 bits = 12 bytes + 6
-	 * bits should be decoded. The 13th byte should end up as 0x00, but we
-	 * see data coming from bitvec_get_bit_pos() returning -EINVAL.
-	 */
 	OSMO_ASSERT(!strcmp(osmo_hexdump(urbb->URBB, 13),
-			    "7f ff ff ee 00 00 00 00 00 00 00 00 ea "));
+			    "7f ff ff ee 00 00 00 00 00 00 00 00 00 "));
 }
 
 int main(int argc, char *argv[])
-- 
cgit v1.2.3