Skip to content

lte: fix global-buffer-overflow when nprb is equal to zero

Gabriel Ferreira requested to merge Gabrielcarvfer/ns-3-dev:fixLteAmcGlobalBufferOverflow into master

Prevent the access to McsToItbsUl data when looking at TransportBlockSizeTable[-1] in LteAmc.

Sanitizer log 
gabri@ubuntu:/mnt/dev/tools/source/ns-3-dev$ ./build/utils/test-runner --test-name=lte-frequency-reuse
/mnt/dev/tools/source/ns-3-dev/src/lte/model/lte-amc.cc:303:43: runtime error: index -1 out of bounds for type 'int [110][27]'
=================================================================
==51636==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe78cc2dbbc at pc 0x7fe78ba65e65 bp 0x7ffde70b25c0 sp 0x7ffde70b25b0
READ of size 4 at 0x7fe78cc2dbbc thread T0
    #0 0x7fe78ba65e64 in ns3::LteAmc::GetDlTbSizeFromMcs(int, int) /mnt/dev/tools/source/ns-3-dev/src/lte/model/lte-amc.cc:303
    #1 0x7fe78c538aba in ns3::TdTbfqFfMacScheduler::DoSchedDlTriggerReq(ns3::FfMacSchedSapProvider::SchedDlTriggerReqParameters const&) /mnt/dev/tools/source/ns-3-dev/src/lte/model/tdtbfq-ff-mac-scheduler.cc:1160
    #2 0x7fe78c564736 in ns3::MemberSchedSapProvider<ns3::TdTbfqFfMacScheduler>::SchedDlTriggerReq(ns3::FfMacSchedSapProvider::SchedDlTriggerReqParameters const&) /mnt/dev/tools/source/ns-3-dev/build/include/ns3/ff-mac-sched-sap.h:409
    #3 0x7fe78c215596 in ns3::LteEnbMac::DoSubframeIndication(unsigned int, unsigned int) /mnt/dev/tools/source/ns-3-dev/src/lte/model/lte-enb-mac.cc:588
    #4 0x7fe78c20921d in ns3::EnbMacMemberLteEnbPhySapUser::SubframeIndication(unsigned int, unsigned int) /mnt/dev/tools/source/ns-3-dev/src/lte/model/lte-enb-mac.cc:297
    #5 0x7fe78b924105 in ns3::LteEnbPhy::StartSubFrame() /mnt/dev/tools/source/ns-3-dev/src/lte/model/lte-enb-phy.cc:764
    #6 0x7fe78b949d54 in ns3::MakeEvent<void (ns3::LteEnbPhy::*)(), ns3::LteEnbPhy*>(void (ns3::LteEnbPhy::*)(), ns3::LteEnbPhy*)::EventMemberImpl0::Notify() (/mnt/dev/tools/source/ns-3-dev/build/lib/libns3-dev-lte-deb.so+0x3a9cd54)
    #7 0x7fe795252022 in ns3::EventImpl::Invoke() /mnt/dev/tools/source/ns-3-dev/src/core/model/event-impl.cc:51
    #8 0x7fe795260de2 in ns3::DefaultSimulatorImpl::ProcessOneEvent() /mnt/dev/tools/source/ns-3-dev/src/core/model/default-simulator-impl.cc:151
    #9 0x7fe795262dbd in ns3::DefaultSimulatorImpl::Run() /mnt/dev/tools/source/ns-3-dev/src/core/model/default-simulator-impl.cc:204
    #10 0x7fe79525436f in ns3::Simulator::Run() /mnt/dev/tools/source/ns-3-dev/src/core/model/simulator.cc:176
    #11 0x7fe7b0f77ee2 in LteDistributedFfrAreaTestCase::DoRun() /mnt/dev/tools/source/ns-3-dev/src/lte/test/lte-test-frequency-reuse.cc:1777
    #12 0x7fe7952d125a in ns3::TestCase::Run(ns3::TestRunnerImpl*) /mnt/dev/tools/source/ns-3-dev/src/core/model/test.cc:363
    #13 0x7fe7952d0f4d in ns3::TestCase::Run(ns3::TestRunnerImpl*) /mnt/dev/tools/source/ns-3-dev/src/core/model/test.cc:357
    #14 0x7fe7952e39c0 in ns3::TestRunnerImpl::Run(int, char**) /mnt/dev/tools/source/ns-3-dev/src/core/model/test.cc:1094
    #15 0x7fe7952e427e in ns3::TestRunner::Run(int, char**) /mnt/dev/tools/source/ns-3-dev/src/core/model/test.cc:1118
    #16 0x564a13d67c9c in main /mnt/dev/tools/source/ns-3-dev/utils/test-runner.cc:23
    #17 0x7fe793cde0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #18 0x564a13d67bbd in _start (/mnt/dev/tools/source/ns-3-dev/build/utils/test-runner+0xae0bbd)

0x7fe78cc2dbbc is located 40 bytes to the right of global variable 'McsToItbsUl' defined in '/mnt/dev/tools/source/ns-3-dev/src/lte/model/lte-amc.cc:105:18' (0x7fe78cc2db20) of size 116
0x7fe78cc2dbbc is located 4 bytes to the left of global variable 'TransportBlockSizeTable' defined in '/mnt/dev/tools/source/ns-3-dev/src/lte/model/lte-amc.cc:118:18' (0x7fe78cc2dbc0) of size 11880
SUMMARY: AddressSanitizer: global-buffer-overflow /mnt/dev/tools/source/ns-3-dev/src/lte/model/lte-amc.cc:303 in ns3::LteAmc::GetDlTbSizeFromMcs(int, int)
Shadow bytes around the buggy address:
  0x0ffd7197db20: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0ffd7197db30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd7197db40: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0ffd7197db50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 f9
  0x0ffd7197db60: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffd7197db70: 00 00 04 f9 f9 f9 f9[f9]00 00 00 00 00 00 00 00
  0x0ffd7197db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd7197db90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd7197dba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd7197dbb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffd7197dbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==51636==ABORTING

Merge request reports