FreeCalypso > hg > fc-magnetite
view src/g23m-gprs/llc/llc_rxp.c @ 516:1ed9de6c90bd
src/g23m-gsm/sms/sms_for.c: bogus malloc removed
The new error handling code that was not present in TCS211 blob version
contains a malloc call that is bogus for 3 reasons:
1) The memory allocation in question is not needed in the first place;
2) libc malloc is used instead of one of the firmware's proper ways;
3) The memory allocation is made inside a function and then never freed,
i.e., a memory leak.
This bug was caught in gcc-built FreeCalypso fw projects (Citrine
and Selenite) because our gcc environment does not allow any use of
libc malloc (any reference to malloc produces a link failure),
but this code from TCS3.2 is wrong even for Magnetite: if this code
path is executed repeatedly over a long time, the many small allocations
made by this malloc call without a subsequent free will eventually
exhaust the malloc heap provided by the TMS470 environment, malloc will
start returning NULL, and the bogus code will treat it as an error.
Because the memory allocation in question is not needed at all,
the fix entails simply removing it.
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Sun, 22 Jul 2018 06:04:49 +0000 |
parents | 219afcfc6250 |
children |
line wrap: on
line source
/* +----------------------------------------------------------------------------- | Project : | Modul : +----------------------------------------------------------------------------- | Copyright 2002 Texas Instruments Berlin, AG | All rights reserved. | | This file is confidential and a trade secret of Texas | Instruments Berlin, AG | The receipt of or possession of this file does not convey | any rights to reproduce or disclose its contents or to | manufacture, use, or sell anything it may describe, in | whole, or in part, without the specific written consent of | Texas Instruments Berlin, AG. +----------------------------------------------------------------------------- | Purpose : This modul is part of the entity LLC and implements all | functions to handles the incoming primitives as described in | the SDL-documentation (RX-statemachine) +----------------------------------------------------------------------------- */ #ifndef LLC_RXP_C #define LLC_RXP_C #endif #define ENTITY_LLC /*==== INCLUDES =============================================================*/ #include "typedefs.h" /* to get Condat data types */ #include "vsi.h" /* to get a lot of macros */ #include "macdef.h" #include "gprs.h" #include "gsm.h" /* to get a lot of macros */ #include "cnf_llc.h" /* to get cnf-definitions */ #include "mon_llc.h" /* to get mon-definitions */ #include "prim.h" /* to get the definitions of used SAP and directions */ #include "llc.h" /* to get the global entity definitions */ #include "llc_rxf.h" /* to get local RX functions */ #include "llc_us.h" /* to get signal interface to U */ #include "llc_uirxs.h" /* to get signal interface to UIRX */ #include "llc_irxs.h" /* to get signal interface to IRX */ #ifdef _SIMULATION_ #include <string.h> /* to get memcpy() */ #endif /*==== CONST ================================================================*/ /*==== LOCAL VARS ===========================================================*/ /*==== PRIVATE FUNCTIONS ====================================================*/ #ifdef _SIMULATION_ LOCAL void rx_copy_test_primitive_data (T_GRLC_UNITDATA_IND_TEST *grlc_unitdata_ind_test, T_GRLC_UNITDATA_IND *grlc_unitdata_ind); #endif #ifndef CF_FAST_EXEC GLOBAL void rx_grlc_xdata_ind (T_GRLC_UNITDATA_IND *grlc_unitdata_ind); #endif /* CF_FAST_EXEC */ /*==== PUBLIC FUNCTIONS =====================================================*/ /* +------------------------------------------------------------------------------ | Function : rx_grlc_data_ind +------------------------------------------------------------------------------ | Description : Handles the primitive GRLC_DATA_IND | | Parameters : *grlc_data_ind - Ptr to primitive payload | +------------------------------------------------------------------------------ */ #ifndef CF_FAST_EXEC GLOBAL void rx_grlc_data_ind ( T_GRLC_DATA_IND *grlc_data_ind ) { TRACE_FUNCTION( "grlc_data_ind" ); switch( GET_STATE( RX ) ) { case RX_TLLI_ASSIGNED: { /* * Both primitives are treated the same way and contain the same * information. */ PPASS (grlc_data_ind, grlc_unitdata_ind, GRLC_UNITDATA_IND); /* * Primitive is handled in rx_grlc_xdata_ind(). */ rx_grlc_xdata_ind (grlc_unitdata_ind); break; } default: PFREE_DESC (grlc_data_ind); TRACE_ERROR( "GRLC_DATA_IND unexpected" ); break; } } /* rx_grlc_data_ind() */ #endif /* CF_FAST_EXEC */ /* +------------------------------------------------------------------------------ | Function : rx_grlc_unitdata_ind +------------------------------------------------------------------------------ | Description : Handles the primitive GRLC_UNITDATA_IND | | Parameters : *grlc_unitdata_ind - Ptr to primitive payload | +------------------------------------------------------------------------------ */ #ifndef CF_FAST_EXEC GLOBAL void rx_grlc_unitdata_ind ( T_GRLC_UNITDATA_IND *grlc_unitdata_ind ) { TRACE_FUNCTION( "grlc_unitdata_ind" ); switch( GET_STATE( RX ) ) { case RX_TLLI_ASSIGNED: /* * Primitive is handled in rx_grlc_xdata_ind(). */ rx_grlc_xdata_ind (grlc_unitdata_ind); break; default: PFREE_DESC (grlc_unitdata_ind); TRACE_ERROR( "GRLC_UNITDATA_IND unexpected" ); break; } } /* rx_grlc_unitdata_ind() */ #endif /* CF_FAST_EXEC */ /* +------------------------------------------------------------------------------ | Function : rx_cci_decipher_cnf +------------------------------------------------------------------------------ | Description : Handles the primitive CCI_DECIPHER_CNF. | Note: The type LL_UNITDATA_IND is used instead to avoid PPASS . | | Parameters : *ll_unitdata_ind - Ptr to primitive payload | +------------------------------------------------------------------------------ */ /*#if defined(CF_FAST_EXEC) || defined(_SIMULATION_) || \ defined(LL_2to1) */ GLOBAL void rx_cci_decipher_cnf ( T_LL_UNITDATA_IND *ll_unitdata_ind) { UBYTE cipher; T_PDU_TYPE frame_type; T_COMMAND command; T_BIT cr_bit; T_BIT pf_bit; T_FRAME_NUM nr; T_FRAME_NUM ns; BOOL frame_ok; UBYTE frame_rej; USHORT frame_rej_ctrl_length; USHORT ctrl_len; TRACE_FUNCTION( "rx_cci_decipher_cnf" ); cipher = ll_unitdata_ind->cipher; switch( GET_STATE( RX ) ) { case RX_TLLI_ASSIGNED: /* variable sapi is "misused" for fcs_check value */ if (ll_unitdata_ind->sapi EQ CCI_FCS_PASSED) { { /* * Label INTERPRET */ rx_interpret_frame (&ll_unitdata_ind->sdu, &ll_unitdata_ind->sapi, &frame_type, &command, &cr_bit, &pf_bit, &nr, &ns, &frame_ok, &frame_rej, &frame_rej_ctrl_length, cipher); SWITCH_LLC (ll_unitdata_ind->sapi); /* * In case of I-frames check, if the information field exceeds N201-I */ if (frame_type == I_FRAME) { ctrl_len = I_CTRL_MIN_OCTETS; /* * Add sizeof SACK-Bitmap, if necessarry (add K+1) */ if (command == I_SACK) { ctrl_len += (ll_unitdata_ind->sdu.buf[(ll_unitdata_ind->sdu.o_buf/8)+4] & 0x1F) + 1; } if (BYTELEN(ll_unitdata_ind->sdu.l_buf) > *(llc_data->n201_i) + ctrl_len) { frame_ok = FALSE; frame_rej = FRMR_W2; TRACE_0_INFO("Received frame violates N201-I: send FRMR"); } } /* * frame_ok includes: correct frame length, PD bit == 0, SAPI valid, * FCS correct, known PDU type. */ if (frame_ok EQ TRUE) { rx_strip_llc_header (&ll_unitdata_ind->sdu, frame_type, command); /* * Label S_DATA */ switch (frame_type) { case U_FRAME: /* * Label U_FRAME */ /* * Service u_frames receives the SDU within the allocated UNITDATA * primitive. */ sig_rx_u_data_ind (ll_unitdata_ind, command, cr_bit, pf_bit); break; case UI_FRAME: /* * Label UI_FRAME */ sig_rx_uirx_data_ind (ll_unitdata_ind, nr); break; case S_FRAME: /* * No break. S frames and I frames are treated the same way. */ case I_FRAME: /* * Label I_FRAME */ sig_rx_irx_data_ind (ll_unitdata_ind, command, frame_type, cr_bit, pf_bit, ns, nr); break; default: PFREE (ll_unitdata_ind); TRACE_ERROR ("unknown frame type"); break; } } else /* frame_ok EQ FALSE */ { /* * Check if frame rejection condition occurred, and if U has to be * informed. */ if (frame_rej EQ FRAME_NOT_REJ) { TRACE_0_INFO("Frame ignored due to decode problem"); PFREE (ll_unitdata_ind); } else /* W1 bit and/or W3 bit set */ { /* * Inform U of the frame rejection condition. */ TRACE_0_INFO("Frame rejected due to decode problem"); sig_rx_u_frmr_ind (ll_unitdata_ind, frame_type, frame_rej_ctrl_length, cr_bit, frame_rej); } } } /* end of validity range of ll_unitdata_ind */ } else /* fcs_check EQ CCI_FCS_FAILED */ { #ifdef TRACE_EVE UBYTE sapi; rx_interpret_frame (&ll_unitdata_ind->sdu, &sapi, &frame_type, &command, &cr_bit, &pf_bit, &nr, &ns, &frame_ok, &frame_rej, &frame_rej_ctrl_length, cipher); #endif TRACE_0_INFO("Frame discarded due to FCS"); PFREE (ll_unitdata_ind); } break; default: PFREE(ll_unitdata_ind); TRACE_ERROR( "CCI_DECIPHER_CNF unexpected" ); break; } } /* rx_cci_decipher_cnf() */ /*#endif */ /* CF_FAST_EXEC || _SIMULATION_ */ /* +------------------------------------------------------------------------------ | Function : rx_grlc_data_ind_test +------------------------------------------------------------------------------ | Description : Handles the primitive GRLC_DATA_IND_TEST | NOTE: This is only necessary in simulation environment. | | Parameters : *grlc_data_ind_test - Ptr to primitive payload | +------------------------------------------------------------------------------ */ #ifdef _SIMULATION_ GLOBAL void rx_grlc_data_ind_test ( T_GRLC_DATA_IND_TEST *grlc_data_ind_test ) { TRACE_FUNCTION( "grlc_data_ind_test" ); switch( GET_STATE( RX ) ) { case RX_TLLI_ASSIGNED: { /* * Allocate a "normal" GRLC_UNITDATA_IND primitive and copy the data * of the test primitive GRLC_DATA_IND_TEST (sdu) to * GRLC_UNITDATA_IND (desc_list). */ PALLOC_DESC (grlc_unitdata_ind, GRLC_UNITDATA_IND); grlc_unitdata_ind->tlli = grlc_data_ind_test->tlli; rx_copy_test_primitive_data ((T_GRLC_UNITDATA_IND_TEST *)grlc_data_ind_test, grlc_unitdata_ind); /* * Free the received test primitive. */ PFREE (grlc_data_ind_test); /* * Primitive is handled in rx_grlc_xdata_ind(). */ rx_grlc_xdata_ind (grlc_unitdata_ind); break; } default: PFREE (grlc_data_ind_test); TRACE_ERROR( "GRLC_DATA_IND_TEST unexpected" ); break; } } /* rx_grlc_data_ind_test() */ #endif /* _SIMULATION_ */ /* +------------------------------------------------------------------------------ | Function : rx_grlc_unitdata_ind_test +------------------------------------------------------------------------------ | Description : Handles the primitive GRLC_UNITDATA_IND_TEST | NOTE: This is only necessary in simulation environment. | | Parameters : *grlc_unitdata_ind_test - Ptr to primitive payload | +------------------------------------------------------------------------------ */ #ifdef _SIMULATION_ GLOBAL void rx_grlc_unitdata_ind_test ( T_GRLC_UNITDATA_IND_TEST *grlc_unitdata_ind_test ) { TRACE_FUNCTION( "grlc_unitdata_ind_test" ); switch( GET_STATE( RX ) ) { case RX_TLLI_ASSIGNED: { /* * Allocate a "normal" GRLC_UNITDATA_IND primitive and copy the data * of the test primitive GRLC_UNITDATA_IND_TEST (sdu) to * GRLC_UNITDATA_IND (desc_list). */ PALLOC_DESC (grlc_unitdata_ind, GRLC_UNITDATA_IND); grlc_unitdata_ind->tlli = grlc_unitdata_ind_test->tlli; rx_copy_test_primitive_data (grlc_unitdata_ind_test, grlc_unitdata_ind); /* * Free the received test primitive. */ PFREE (grlc_unitdata_ind_test); /* * Primitive is handled in rx_grlc_xdata_ind(). */ rx_grlc_xdata_ind (grlc_unitdata_ind); break; } default: PFREE (grlc_unitdata_ind_test); TRACE_ERROR( "GRLC_UNITDATA_IND_TEST unexpected" ); break; } } /* rx_grlc_unitdata_ind_test() */ #endif /* _SIMULATION_ */ /* +------------------------------------------------------------------------------ | Function : rx_copy_test_primitive_data +------------------------------------------------------------------------------ | Description : Copies the data of a TEST primitive (sdu) to a normal | primitive (desc_list). | ATTENTION: All other parameters of the primitives are left | untouched and are not copied by this function! | | Parameters : *grlc_unitdata_ind_test - source primitive | *grlc_unitdata_ind - destination primitive | +------------------------------------------------------------------------------ */ #ifdef _SIMULATION_ LOCAL void rx_copy_test_primitive_data (T_GRLC_UNITDATA_IND_TEST *grlc_unitdata_ind_test, T_GRLC_UNITDATA_IND *grlc_unitdata_ind) { #define FRAG_LEN 80 /* value + 6 must fit in an pool with lots of entries */ T_sdu *sdu; T_desc *desc; T_desc *last_desc = NULL; int sdu_index; int length; sdu = &grlc_unitdata_ind_test->sdu; /* * Begin at the first relevant octet. */ sdu_index = sdu->o_buf/8; /* * Initialise descriptor list length. */ grlc_unitdata_ind->desc_list.list_len = 0; /* * Copy complete SDU to descriptor list using descriptors of max. 10 bytes. */ while (sdu_index < sdu->l_buf/8) { /* * Calculate length of descriptor data (= length of remaining sdu buffer * with a maximum of FRAG_LEN) */ length = (sdu_index+FRAG_LEN < sdu->l_buf/8) ? FRAG_LEN : (sdu->l_buf/8 - sdu_index); /* * Allocate the necessary size for the data descriptor. The size is * calculated as follows: * - take the size of a descriptor structure * - subtract one because of the array buffer[1] to get the size of * descriptor control information * - add number of octets of descriptor data */ MALLOC (desc, (USHORT)(sizeof(T_desc) - 1 + length)); /* * Fill descriptor control information. */ desc->next = (ULONG)NULL; desc->len = length; /* * Add length of descriptor data to list length. */ grlc_unitdata_ind->desc_list.list_len += length; /* * Copy user data from SDU to descriptor. */ memcpy (desc->buffer, &sdu->buf[sdu_index], length); sdu_index += length; if (last_desc) { /* * Add this descriptor (not the first) to the descriptor list. */ last_desc->next = (ULONG)desc; } else { /* * Insert first descriptor in descriptor list. */ grlc_unitdata_ind->desc_list.first = (ULONG)desc; } /* * Store this descriptor for later use. */ last_desc = desc; } return; } /* rx_copy_test_primitive_data */ #endif /* _SIMULATION_ */ /* +------------------------------------------------------------------------------ | Function : rx_grlc_xdata_ind +------------------------------------------------------------------------------ | Description : Handles the primitives GRLC_DATA_IND / GRLC_UNITDATA_IND. | | Parameters : *grlc_unitdata_ind - Ptr to primitive payload | +------------------------------------------------------------------------------ */ #ifndef CF_FAST_EXEC GLOBAL void rx_grlc_xdata_ind ( T_GRLC_UNITDATA_IND *grlc_unitdata_ind ) { T_PDU_TYPE frame_type; UBYTE protected_mode; UBYTE sapi; T_FRAME_NUM ns; BOOL ciphering; USHORT header_size; BOOL frame_ok; TRACE_FUNCTION( "grlc_xdata_ind" ); /* * Unassigning old TLLI * * GMM has to be informed, that new TLLI has been received. So GMM can unassign old TLLI * and old PTMSI in GRLC * Old tlli will be unassigned here. Normally GMM has to sent LLGMM_ASSIGN_REQ with * new_tlli != all 1's and old_tlli == all 1,s. See 04.64 cp. 6.1 <R.LLC.TLLI_ASS.A.002> */ #ifdef LL_2to1 if ( PS_TLLI_INVALID != llc_data->tlli_old #else if ( LLGMM_TLLI_INVALID != llc_data->tlli_old #endif && grlc_unitdata_ind->tlli != llc_data->tlli_old ) { PALLOC ( llgmm_tlli_ind, LLGMM_TLLI_IND ); llgmm_tlli_ind->new_tlli = grlc_unitdata_ind->tlli; #ifdef LL_2to1 llc_data->tlli_old = PS_TLLI_INVALID; #else llc_data->tlli_old = LLGMM_TLLI_INVALID; #endif PSEND ( hCommGMM, llgmm_tlli_ind); } rx_analyse_ctrl_field (grlc_unitdata_ind, &frame_type, &protected_mode, &sapi, &ns, &ciphering, &header_size, &frame_ok); if (frame_ok EQ TRUE) { /* * Check, if the sapi of the frame is supported. If ok, switch context * and handle the frame. */ switch (sapi) { case LL_SAPI_1: case LL_SAPI_3: case LL_SAPI_5: case LL_SAPI_7: case LL_SAPI_9: case LL_SAPI_11: SWITCH_LLC (sapi); rx_send_decipher_req (grlc_unitdata_ind, frame_type, protected_mode, ns, header_size, ciphering); /* * Free only the primitive (desc_list copied in rx_send_decipher_req) */ PFREE (grlc_unitdata_ind); /* Do not use PFREE_DESC here !*/ break; default: /* * Ignore frame. * Free prim and desc_list, because they are not used further */ PFREE_DESC (grlc_unitdata_ind); TRACE_0_INFO("Frame received for reserved SAPI"); break; } } else /* frame_ok NEQ TRUE */ { /* * Free GRLC_UNITDATA_IND along with complete descriptor list. */ PFREE_DESC (grlc_unitdata_ind); TRACE_EVENT("Frame ignored!"); } return; } /* rx_grlc_xdata_ind() */ #endif /* CF_FAST_EXEC */