From 8a2e935cdb67ff93a0ec8382b41f173b216ca3b5 Mon Sep 17 00:00:00 2001 From: Felix Domke Date: Wed, 15 Jul 2015 04:09:50 +0200 Subject: layer1: fix chan_nr2mf_task_mask for TCH/H channel "multiframe", the frame layout (used to compute neighbor cell monitoring pattern) was uninitialized in TCH/H case. This, in combination with gcc optimizing the "switch(multiframe)"-statement into a LUT without bounds- checking (since using an uninitialized value is undefined behavior) caused neigh_task to be filled with an out-of- bounds value, eventually crashing the TDMA scheduler. Written-by: Felix Domke Signed-off-by: Sylvain Munaut --- src/target/firmware/layer1/l23_api.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/target/firmware/layer1/l23_api.c b/src/target/firmware/layer1/l23_api.c index ae39e634..9a90e3aa 100644 --- a/src/target/firmware/layer1/l23_api.c +++ b/src/target/firmware/layer1/l23_api.c @@ -79,7 +79,7 @@ static uint32_t chan_nr2mf_task_mask(uint8_t chan_nr, uint8_t neigh_mode) uint8_t lch_idx; enum mframe_task master_task = 0; uint32_t neigh_task = 0; - enum mf_type multiframe; + enum mf_type multiframe = 0; if (cbits == 0x01) { lch_idx = 0; @@ -88,6 +88,7 @@ static uint32_t chan_nr2mf_task_mask(uint8_t chan_nr, uint8_t neigh_mode) } else if ((cbits & 0x1e) == 0x02) { lch_idx = cbits & 0x1; master_task = MF_TASK_TCH_H_0 + lch_idx; + multiframe = (lch_idx & 1) ? MF26ODD : MF26EVEN; } else if ((cbits & 0x1c) == 0x04) { lch_idx = cbits & 0x3; master_task = MF_TASK_SDCCH4_0 + lch_idx; -- cgit v1.2.3