Out of bound access of array in phy_common.c #1501
Description
Assuming SRSRAN_MAX_CARRIERS is 5.
The if statement will be entered and the for loop recursively resets from index 0 to 4.
The problem is the initial call with cc_idx being 5. It will go past the if/for part and access the array with an index one past the end.
All the arrays were initialized with a size of SRSRAN_MAX_CARRIERS.
...
reset_measurements(SRSRAN_MAX_CARRIERS);
...
void phy_common::reset_measurements(uint32_t cc_idx)
{
// If the CC index exceeds the maximum number of carriers, reset them all
if (cc_idx >= SRSRAN_MAX_CARRIERS) {
for (uint32_t cc = 0; cc < SRSRAN_MAX_CARRIERS; cc++) {
reset_measurements(cc);
}
}
// Default all metrics to NAN to prevent providing invalid information on traces and other layers
std::unique_lock<std::mutex> lock(meas_mutex);
pathloss[cc_idx] = NAN;
avg_rsrp[cc_idx] = NAN;
avg_rsrp_dbm[cc_idx] = NAN;
avg_rsrq_db[cc_idx] = NAN;
avg_rssi_dbm[cc_idx] = NAN;
avg_cfo_hz[cc_idx] = NAN;
avg_sinr_db[cc_idx] = NAN;
avg_snr_db[cc_idx] = NAN;
avg_noise[cc_idx] = NAN;
avg_rsrp_neigh[cc_idx] = NAN;
}
After the for loop should be a return to prevent that.
// If the CC index exceeds the maximum number of carriers, reset them all
if (cc_idx >= SRSRAN_MAX_CARRIERS) {
for (uint32_t cc = 0; cc < SRSRAN_MAX_CARRIERS; cc++) {
reset_measurements(cc);
}
return;
}