Actions
Bug #6431
open(coverity) uninitialized asn.1 state / overwriting asn.1 state in HNBAP
Start date:
04/03/2024
Due date:
% Done:
0%
Spec Reference:
Description
Recent patch improves HNBAP error reporting. https://gerrit.osmocom.org/c/osmo-hnbgw/+/36479
But coverity complains about this pattern:
HNBAP_Cause_t cause; cause.present = HNBAP_Cause_PR_protocol; cause.choice.radioNetwork = HNBAP_CauseProtocol_unspecified; return hnbgw_tx_hnb_register_rej(ctx, &cause);
That's because the internal asn.1 state in cause._asn_ctx is uninitialized.
I'd submit a fix like this, initializing the Cause:
- HNBAP_Cause_t cause;
+ HNBAP_Cause_t cause = {};
The reason I'm creating this issue is
- to draw attention to the _asn_ctx part.
- about other uninitialized items.
In hnbgw_tx_hnb_register_rej() we do this:
HNBAP_HNBRegisterRejectIEs_t reject; reject.cause = *cause;
- we are overwriting the internal asn.1 state in reject.cause._asn_ctx with uninitialized mem.
- could there have been important state in there before?
- hm, 'reject' itself was not initialized at all.
This seems more than just a quick fix, so creating this issue instead of fixing.
Updated by laforge 26 days ago
unless somebody has a better idea and deeper understanding of the inner workings of libasn1c with regard to those _asn1_ctx sub-structures, I suggest to work around the problem by
- always initializing any variable on the stack (like you suggested)
- replace constructs like
reject.cause = *causewith something that just assigns the two cause members but not the complete cause value.
Actions
