summaryrefslogtreecommitdiffstats
path: root/src/target
diff options
context:
space:
mode:
authorHarald Welte2011-07-16 18:01:48 +0200
committerHarald Welte2011-07-16 18:01:48 +0200
commitd5c9c7362294761a7c103a4af688a6a367ac43dd (patch)
tree3ac75675061cd2a84bd5e5554598b9cf9fb764e9 /src/target
parentcalypso/uart.c: Fix array bounds checking (diff)
downloadosmocom-d5c9c7362294761a7c103a4af688a6a367ac43dd.tar.gz
osmocom-d5c9c7362294761a7c103a4af688a6a367ac43dd.tar.xz
osmocom-d5c9c7362294761a7c103a4af688a6a367ac43dd.zip
tpu_window: Fix int16_t overflow in tpu_window calculation
First we add 55500 to an int16_t, then later we subtract it again. The bug only didn't become apparent as we wrap twice, once adding then subtracting. Discovered by Smatch: firmware/layer1/tpu_window.c +127 l1s_rx_win_ctrl(24) warn: value 55000 can't fit into 32767 'stop'
Diffstat (limited to 'src/target')
-rw-r--r--src/target/firmware/layer1/tpu_window.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/target/firmware/layer1/tpu_window.c b/src/target/firmware/layer1/tpu_window.c
index 8d9c899..1ac4ce4 100644
--- a/src/target/firmware/layer1/tpu_window.c
+++ b/src/target/firmware/layer1/tpu_window.c
@@ -102,7 +102,8 @@ void l1s_win_init(void)
void l1s_rx_win_ctrl(uint16_t arfcn, enum l1_rxwin_type wtype, uint8_t tn_ofs)
{
- int16_t start, stop;
+ int16_t start;
+ int32_t stop; /* prevent overflow of int16_t in L1_RXWIN_FB */
/* TN offset & TA adjust */
start = DSP_SETUP_TIME;
@@ -128,7 +129,7 @@ void l1s_rx_win_ctrl(uint16_t arfcn, enum l1_rxwin_type wtype, uint8_t tn_ofs)
}
/* Window close for ABB */
- twl3025_downlink(0, stop);
+ twl3025_downlink(0, stop & 0xffff);
/* window close for TRF6151 */
trf6151_set_mode(TRF6151_IDLE);