FreeCalypso > hg > fc-magnetite
view src/gpf3/ccd/csn1_concat.c @ 516:1ed9de6c90bd
src/g23m-gsm/sms/sms_for.c: bogus malloc removed
The new error handling code that was not present in TCS211 blob version
contains a malloc call that is bogus for 3 reasons:
1) The memory allocation in question is not needed in the first place;
2) libc malloc is used instead of one of the firmware's proper ways;
3) The memory allocation is made inside a function and then never freed,
i.e., a memory leak.
This bug was caught in gcc-built FreeCalypso fw projects (Citrine
and Selenite) because our gcc environment does not allow any use of
libc malloc (any reference to malloc produces a link failure),
but this code from TCS3.2 is wrong even for Magnetite: if this code
path is executed repeatedly over a long time, the many small allocations
made by this malloc call without a subsequent free will eventually
exhaust the malloc heap provided by the TMS470 environment, malloc will
start returning NULL, and the bogus code will treat it as an error.
Because the memory allocation in question is not needed at all,
the fix entails simply removing it.
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Sun, 22 Jul 2018 06:04:49 +0000 |
parents | c41a534f33c6 |
children |
line wrap: on
line source
/* +----------------------------------------------------------------------------- | Project : | Modul : csn1_concat.c +----------------------------------------------------------------------------- | Copyright 2004 Texas Instruments Deutschland GmbH | All rights reserved. | | This file is confidential and a trade secret of Texas | Instruments Deutschland GmbH | The receipt of or possession of this file does not convey | any rights to reproduce or disclose its contents or to | manufacture, use, or sell anything it may describe, in | whole, or in part, without the specific written consent of | Texas Instruments Deutschland GmbH. +----------------------------------------------------------------------------- | Purpose : Condat Conder Decoder - | Definition of encoding and decoding functions of | CSN1 truncated concatenation elements +----------------------------------------------------------------------------- */ /* * Standard definitions like GLOBAL, UCHAR, ERROR etc. */ #include "typedefs.h" #include "header.h" /* * Prototypes of ccd (USE_DRIVER EQ undef) for prototypes only * look at ccdapi.h */ #undef USE_DRIVER #include "ccdapi.h" /* * Types and functions for bit access and manipulation */ #include "ccd_globs.h" #include "bitfun.h" /* * Prototypes of ccd internal functions */ #include "ccd.h" #include "ccd_codingtypes.h" /* * Declaration of coder/decoder tables */ #include "ccdtable.h" #include "ccddata.h" EXTERN T_FUNC_POINTER codec[MAX_CODEC_ID+1][2]; #ifndef RUN_FLASH /* +---------------------------------------------------------------------+ | PROJECT : CCD (6144) MODULE : CCD | | STATE : code ROUTINE : cdc_csn1_concat_decode | +---------------------------------------------------------------------+ PURPOSE : decodes the bitstream to a C-Structure.The decoding rules contains the element definitions for the elements of this message. This function may called recursivly because of a substructured element definition. */ SHORT cdc_csn1_concat_decode (const ULONG c_ref, const ULONG e_ref, T_CCD_Globs *globs) { /* * index in table melem */ ULONG elem_ref, last_elem, start_elem; SHORT codecRet; U8 *actStructpos; U8 actErrLabel; U16 actMaxBitpos, finalBitPos; U8 *pnumConcatElem = NULL; ULONG i, num_concat_elem; BOOL SetPosExpected = FALSE; ULONG cix_ref, num_prolog_steps, prolog_step_ref; #ifdef DEBUG_CCD #ifndef CCD_SYMBOLS TRACE_CCD (globs, "cdc_csn1_concat_decode()"); #else TRACE_CCD (globs, "cdc_csn1_concat_decode() %s", ccddata_get_alias((USHORT) e_ref, 1)); #endif #endif actErrLabel = globs->errLabel; /* Set ref number for calcidx table. */ cix_ref = melem[e_ref].calcIdxRef; num_prolog_steps = calcidx[cix_ref].numPrologSteps; prolog_step_ref = calcidx[cix_ref].prologStepRef; /* * If this element is conditional, check the condition. */ if (calcidx[cix_ref].numCondCalcs NEQ 0 AND ! ccd_conditionOK (e_ref, globs)) return 1; /* * if this element have a defined Prolog * we have to process it before decoding the bitstream */ if (num_prolog_steps) { ccd_performOperations (num_prolog_steps, prolog_step_ref, globs); } globs->ccd_recurs_level++; if (globs->bitpos < globs->maxBitpos) { if (melem[e_ref].repType == 's') { BOOL is_variable; ULONG max_rep, repeat; is_variable = ccd_calculateRep (e_ref, &repeat, &max_rep, globs); if (repeat > (ULONG) (globs->maxBitpos-globs->bitpos)) { ccd_recordFault (globs, ERR_MAX_REPEAT, CONTINUE, (USHORT) e_ref, globs->pstruct + globs->pstructOffs); repeat = MINIMUM (repeat, (ULONG) (globs->maxBitpos-globs->bitpos)); } finalBitPos = (USHORT) (globs->bitpos + repeat); #ifdef DEBUG_CCD #ifdef CCD_SYMBOLS TRACE_CCD (globs, "decoding of concatenation %s as a bit array", mcomp[melem[e_ref].elemRef].name); #else TRACE_CCD (globs, "decoding of concatenation %d as a bit array", melem[e_ref].elemRef); #endif #endif /* Store the limit. The truncated concatenation may contain other compositions as bitstring. */ actMaxBitpos = globs->maxBitpos; globs->maxBitpos = finalBitPos; } else { #ifdef DEBUG_CCD #ifdef CCD_SYMBOLS TRACE_CCD (globs, "decoding concatenation %s", mcomp[melem[e_ref].elemRef].name); #else TRACE_CCD (globs, "decoding concatenation %d", melem[e_ref].elemRef); #endif #endif } /* * Store the actual structure position. */ actStructpos = globs->pstruct; globs->pstructOffs = melem[e_ref].structOffs; globs->pstruct += globs->pstructOffs; /* * setup the index in the melem table for this composition. */ elem_ref = (ULONG) mcomp[melem[e_ref].elemRef].componentRef; last_elem = elem_ref + mcomp[melem[e_ref].elemRef].numOfComponents; /* * It is recommended to use a leading element of coding type NO_CODE * in the message description which is used to count the existing * elements of the truncated concatenation. If this element is missing * the decoding process will proceed but the CCD user is forced to * evaluate all of the valid flags. */ if (melem[elem_ref].codingType == CCDTYPE_NO_CODE) { pnumConcatElem = globs->pstruct; elem_ref++; num_concat_elem = (ULONG) (mcomp[melem[e_ref].elemRef].numOfComponents - 1); } start_elem = elem_ref; /* * decode all elements */ while (elem_ref < last_elem) { #ifdef ERR_TRC_STK_CCD /* save the value for tracing in error case */ globs->error_stack[globs->ccd_recurs_level] = (USHORT) elem_ref; #endif /* ERR_TRC_STK_CCD */ /* * check if the bitstream has ended */ if (bf_endOfBitstream(globs) AND !globs->TagPending) { /* End of the bit stream is not reached if a call to bf_setBitpos() * is expected for the next element of the current substructure. * An instructive example is an empty "mob_id" */ cix_ref = melem[elem_ref].calcIdxRef; num_prolog_steps = calcidx[cix_ref].numPrologSteps; prolog_step_ref = calcidx[cix_ref].prologStepRef; if (num_prolog_steps) { i = prolog_step_ref + num_prolog_steps; while (i >= prolog_step_ref) { if (calc[i].operation == 'S') { SetPosExpected = TRUE; break; } i--; } } if (SetPosExpected EQ FALSE) { num_concat_elem = elem_ref - start_elem; /* after the while loop the recursion level will be decremented. */ break; } }//if end of bit string /* * use the jump-table for selecting the decode function */ codecRet = codec[melem[elem_ref].codingType][DECODE_FUN](melem[e_ref].elemRef, elem_ref, globs); if (codecRet NEQ 0x7f) { /* * set the elem_ref to the next or the same element */ elem_ref += codecRet; } } if (pnumConcatElem != NULL) { *pnumConcatElem = (UBYTE) num_concat_elem; } if (melem[e_ref].repType == 's') { if (globs->bitpos > finalBitPos) { ccd_recordFault (globs, ERR_CONCAT_LEN, CONTINUE, (USHORT) elem_ref, globs->pstruct + globs->pstructOffs); } bf_setBitpos (finalBitPos, globs); /* Update maxBitpos to avoid an early end of decoding. */ globs->maxBitpos = actMaxBitpos; } /* * restore the write pointer */ globs->pstruct = actStructpos; } globs->errLabel = actErrLabel; /* Reset indicator of exhaustion in the IEI table*/ for (i = 0; globs->iei_ctx[globs->ccd_recurs_level].iei_table[i].valid == TRUE; i++) { globs->iei_ctx[globs->ccd_recurs_level].iei_table[i].exhausted = FALSE; } globs->ccd_recurs_level--; return 1; } #endif /* !RUN_FLASH */ #ifndef RUN_FLASH /* +---------------------------------------------------------------------+ | PROJECT : CCD (6144) MODULE : CCD | | STATE : code ROUTINE : cdc_csn1_concat_encode | +---------------------------------------------------------------------+ PURPOSE : codes the content of a C-Structure into a bitstream. This function may be called recursivly if an IE in the structure is itself a structured IE. */ SHORT cdc_csn1_concat_encode (const ULONG c_ref, const ULONG e_ref, T_CCD_Globs *globs) { ULONG cix_ref, elem_ref, last_elem; U8 codecRet; U16 actBitpos; U8 actByteOffs; U8 *actStructpos; #ifdef DEBUG_CCD #ifndef CCD_SYMBOLS TRACE_CCD (globs, "cdc_csn1_concat_encode()"); #else TRACE_CCD (globs, "cdc_csn1_concat_encode() %s", ccddata_get_alias((USHORT) e_ref, 1)); #endif #endif cix_ref = melem[e_ref].calcIdxRef; /* * If this element is conditional, check the condition. */ if (calcidx[cix_ref].numCondCalcs NEQ 0 AND ! ccd_conditionOK (e_ref, globs)) return 1; globs->ccd_recurs_level++; actStructpos = globs->pstruct; globs->pstructOffs = melem[e_ref].structOffs; globs->pstruct += globs->pstructOffs; elem_ref = (ULONG) mcomp[melem[e_ref].elemRef].componentRef; last_elem = elem_ref + mcomp[melem[e_ref].elemRef].numOfComponents; /* * It is recommended to use a leading element of coding type NO_CODE * in the message description which is used to count the existing * elements of the truncated concatenation in case of decoding. * In case of encoding this element must be skipped. */ if (melem[elem_ref].codingType == CCDTYPE_NO_CODE) { elem_ref++; /* last_elem = elem_ref + *globs->pstruct; * Encoding act on the assumption that all elements of the truncated * concatenation should be encoded. CCD will skip tagged elements * but in case of CSN1 coding CCD will write the flag indicating absent * elements. Values of mandatory elements without valid flags are coded * according to their assignments in the C-structure. * If more bits are written than the component l_buf of the message buffer * suggested CCD generates a warning (error code ERR_BUFFER_OF). It is up * to the user to analyse the consequences of this warning and to choose * adequate procedures. */ } /* * code all elements */ while ((elem_ref < last_elem) && (globs->bitpos < globs->msgLen)) { #ifdef ERR_TRC_STK_CCD /* * Save the value for tracing in error case. */ globs->error_stack[globs->ccd_recurs_level] = (USHORT) elem_ref; #endif /* ERR_TRC_STK_CCD */ #if defined _TOOLS_ if (ccd_patch (globs, 0)) codecRet = 1; else #endif /* _TOOLS_ */ actBitpos = globs->bitpos; actByteOffs = globs->byteoffs; /* Use the jump-table for selecting encode function. */ codecRet = (UBYTE) codec[melem[elem_ref].codingType][ENCODE_FUN](melem[e_ref].elemRef, elem_ref, globs); if (globs->bitpos < globs->msgLen) { if (codecRet NEQ 0x7f) { /* Set the elem_ref to the next or the same element. */ elem_ref += codecRet; } } else { if (globs->bitpos > globs->msgLen) { globs->bitpos = actBitpos; globs->byteoffs = actByteOffs; ccd_recordFault (globs, ERR_CONCAT_LEN, CONTINUE, (USHORT) elem_ref, globs->pstruct + globs->pstructOffs); } break; } } globs->pstruct += mcomp[melem[e_ref].elemRef].cSize; /* * restore the read pointer */ globs->pstruct = actStructpos; globs->ccd_recurs_level--; return 1; } #endif /* !RUN_FLASH */