Bug #6100
closednacc_fsm: uninitialized neigh_key variable
100%
Description
The neigh_key variable in handle_retrans_pkt_cell_chg_notif() is used uninitialized.
There is never data written to it, but it should contain the neighbor key information from the previous message (we are detecting a resend/dup here).
The neigh_key variable is used with neigh_cache_entry_key_eq() at the bottom on the function, but all neigh_cache_entry_key_eq() does is a comparison, it does not put valid values into neigh_key.
Then when neigh_key is detected as different from the neigh_key information in ctx.
The neigh_key information in ctx is overwritten with the (invalid) contents of the uninitialized neigh_key variable. This cannot work and needs fixing.
(change I96280f0ec5955ed3cb17641bf4118496c929bdac did not introduce the problem)
** CID 322150: (UNINIT) /source-Osmocom/osmo-pcu/src/nacc_fsm.c: 409 in handle_retrans_pkt_cell_chg_notif() /source-Osmocom/osmo-pcu/src/nacc_fsm.c: 409 in handle_retrans_pkt_cell_chg_notif() ________________________________________________________________________________________________________ *** CID 322150: (UNINIT) /source-Osmocom/osmo-pcu/src/nacc_fsm.c: 408 in handle_retrans_pkt_cell_chg_notif() 402 * section 8c.6.1. */ 403 nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE); 404 return; 405 } 406 407 /* If tgt cell changed, restart resolving it */ >>> CID 322150: (UNINIT) >>> Using uninitialized value "neigh_key.tgt_arfcn" when calling "neigh_cache_entry_key_eq". 408 if (!neigh_cache_entry_key_eq(&ctx->neigh_key, &neigh_key)) { 409 ctx->neigh_key = neigh_key; 410 nacc_fsm_state_chg(ctx->fi, NACC_ST_WAIT_RESOLVE_RAC_CI); 411 } 412 /* else: ignore it, it's a dup, carry on what we were doing */ 413 } /source-Osmocom/osmo-pcu/src/nacc_fsm.c: 409 in handle_retrans_pkt_cell_chg_notif() 403 nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE); 404 return; 405 } 406 407 /* If tgt cell changed, restart resolving it */ 408 if (!neigh_cache_entry_key_eq(&ctx->neigh_key, &neigh_key)) { >>> CID 322150: (UNINIT) >>> Using uninitialized value "neigh_key". Field "neigh_key.tgt_bsic" is uninitialized. 409 ctx->neigh_key = neigh_key; 410 nacc_fsm_state_chg(ctx->fi, NACC_ST_WAIT_RESOLVE_RAC_CI); 411 } 412 /* else: ignore it, it's a dup, carry on what we were doing */ 413 } 414 /source-Osmocom/osmo-pcu/src/nacc_fsm.c: 409 in handle_retrans_pkt_cell_chg_notif() 403 nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE); 404 return; 405 } 406 407 /* If tgt cell changed, restart resolving it */ 408 if (!neigh_cache_entry_key_eq(&ctx->neigh_key, &neigh_key)) { >>> CID 322150: (UNINIT) >>> Using uninitialized value "neigh_key". Field "neigh_key.tgt_arfcn" is uninitialized. 409 ctx->neigh_key = neigh_key; 410 nacc_fsm_state_chg(ctx->fi, NACC_ST_WAIT_RESOLVE_RAC_CI); 411 } 412 /* else: ignore it, it's a dup, carry on what we were doing */ 413 } 414 /source-Osmocom/osmo-pcu/src/nacc_fsm.c: 408 in handle_retrans_pkt_cell_chg_notif() 402 * section 8c.6.1. */ 403 nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE); 404 return; 405 } 406 407 /* If tgt cell changed, restart resolving it */ >>> CID 322150: (UNINIT) >>> Using uninitialized value "neigh_key.local_lac" when calling "neigh_cache_entry_key_eq". 408 if (!neigh_cache_entry_key_eq(&ctx->neigh_key, &neigh_key)) { 409 ctx->neigh_key = neigh_key; 410 nacc_fsm_state_chg(ctx->fi, NACC_ST_WAIT_RESOLVE_RAC_CI); 411 } 412 /* else: ignore it, it's a dup, carry on what we were doing */ 413 } /source-Osmocom/osmo-pcu/src/nacc_fsm.c: 408 in handle_retrans_pkt_cell_chg_notif() 402 * section 8c.6.1. */ 403 nacc_fsm_state_chg(ctx->fi, NACC_ST_TX_CELL_CHG_CONTINUE); 404 return; 405 } 406 407 /* If tgt cell changed, restart resolving it */ >>> CID 322150: (UNINIT) >>> Using uninitialized value "neigh_key.tgt_bsic" when calling "neigh_cache_entry_key_eq". 408 if (!neigh_cache_entry_key_eq(&ctx->neigh_key, &neigh_key)) { 409 ctx->neigh_key = neigh_key; 410 nacc_fsm_state_chg(ctx->fi, NACC_ST_WAIT_RESOLVE_RAC_CI); 411 } 412 /* else: ignore it, it's a dup, carry on what we were doing */ 413 }