From ffe5a8d8b8ea486b75cd38bbd28c1a7eac9c6fbb Mon Sep 17 00:00:00 2001
From: Vadim Yanitskiy <vyanitskiy@sysmocom.de>
Date: Fri, 5 Jun 2020 01:57:52 +0700
Subject: rsl: refactor handling of RSL_IE_MR_CONFIG

  - get rid of gsm_lchan::mr_bts_lv, it's never used anyway,
  - check IE length in amr_parse_mr_conf() before parsing,
  - check return code of amr_parse_mr_conf().

Change-Id: Ibfd5845ea429945b352dd14421e86562998d65ca
---
 src/common/rsl.c | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

(limited to 'src/common/rsl.c')

diff --git a/src/common/rsl.c b/src/common/rsl.c
index 41dd2434..f057a89a 100644
--- a/src/common/rsl.c
+++ b/src/common/rsl.c
@@ -1209,17 +1209,16 @@ static int rsl_rx_chan_activ(struct msgb *msg)
 	}
 	/* 9.3.52 MultiRate Configuration */
 	if (TLVP_PRESENT(&tp, RSL_IE_MR_CONFIG)) {
-		if (TLVP_LEN(&tp, RSL_IE_MR_CONFIG) > sizeof(lchan->mr_bts_lv) - 1) {
+		rc = amr_parse_mr_conf(&lchan->tch.amr_mr,
+				       TLVP_VAL(&tp, RSL_IE_MR_CONFIG),
+				       TLVP_LEN(&tp, RSL_IE_MR_CONFIG));
+		if (rc < 0) {
 			LOGPLCHAN(lchan, DRSL, LOGL_ERROR, "Error parsing MultiRate conf IE\n");
 			rsl_tx_error_report(msg->trx, RSL_ERR_IE_CONTENT, &dch->chan_nr, NULL, msg);
 			return rsl_tx_chan_act_acknack(lchan, RSL_ERR_IE_CONTENT);
 		}
-		memcpy(lchan->mr_bts_lv, TLVP_VAL(&tp, RSL_IE_MR_CONFIG) - 1,
-		       TLVP_LEN(&tp, RSL_IE_MR_CONFIG) + 1);
-		amr_parse_mr_conf(&lchan->tch.amr_mr, TLVP_VAL(&tp, RSL_IE_MR_CONFIG),
-				  TLVP_LEN(&tp, RSL_IE_MR_CONFIG));
-		amr_log_mr_conf(DRTP, LOGL_DEBUG, gsm_lchan_name(lchan),
-				&lchan->tch.amr_mr);
+
+		amr_log_mr_conf(DRTP, LOGL_DEBUG, gsm_lchan_name(lchan), &lchan->tch.amr_mr);
 		lchan->tch.last_cmr = AMR_CMR_NONE;
 	}
 	/* 9.3.53 MultiRate Control */
@@ -1556,6 +1555,7 @@ static int rsl_rx_mode_modif(struct msgb *msg)
 	struct gsm_lchan *lchan = msg->lchan;
 	struct rsl_ie_chan_mode *cm;
 	struct tlv_parsed tp;
+	int rc;
 
 	rsl_tlv_parse(&tp, msgb_l3(msg), msgb_l3len(msg));
 
@@ -1588,17 +1588,16 @@ static int rsl_rx_mode_modif(struct msgb *msg)
 
 	/* 9.3.52 MultiRate Configuration */
 	if (TLVP_PRESENT(&tp, RSL_IE_MR_CONFIG)) {
-		if (TLVP_LEN(&tp, RSL_IE_MR_CONFIG) > sizeof(lchan->mr_bts_lv) - 1) {
+		rc = amr_parse_mr_conf(&lchan->tch.amr_mr,
+				       TLVP_VAL(&tp, RSL_IE_MR_CONFIG),
+				       TLVP_LEN(&tp, RSL_IE_MR_CONFIG));
+		if (rc < 0) {
 			LOGPLCHAN(lchan, DRSL, LOGL_ERROR, "Error parsing MultiRate conf IE\n");
 			rsl_tx_error_report(msg->trx, RSL_ERR_IE_CONTENT, &dch->chan_nr, NULL, msg);
 			return rsl_tx_mode_modif_nack(lchan, RSL_ERR_IE_CONTENT);;
 		}
-		memcpy(lchan->mr_bts_lv, TLVP_VAL(&tp, RSL_IE_MR_CONFIG) - 1,
-			TLVP_LEN(&tp, RSL_IE_MR_CONFIG) + 1);
-		amr_parse_mr_conf(&lchan->tch.amr_mr, TLVP_VAL(&tp, RSL_IE_MR_CONFIG),
-				  TLVP_LEN(&tp, RSL_IE_MR_CONFIG));
-		amr_log_mr_conf(DRTP, LOGL_DEBUG, gsm_lchan_name(lchan),
-				&lchan->tch.amr_mr);
+
+		amr_log_mr_conf(DRTP, LOGL_DEBUG, gsm_lchan_name(lchan), &lchan->tch.amr_mr);
 		lchan->tch.last_cmr = AMR_CMR_NONE;
 	}
 	/* 9.3.53 MultiRate Control */
-- 
cgit v1.2.3