diff options
| author | Ben Hilburn <ben.hilburn@ettus.com> | 2015-08-28 20:20:29 -0700 |
|---|---|---|
| committer | Ben Hilburn <ben.hilburn@ettus.com> | 2015-08-28 20:20:29 -0700 |
| commit | ff5eef1c94649a26b893bbf45455190bc72c6b4a (patch) | |
| tree | baf2603571f0f4805db67829ff91977d47fbfbc3 /gr-digital/lib/lms_dd_equalizer_cc_impl.cc | |
| parent | b19cb7e746c5482a8890b1711d1984dd04c2bb38 (diff) | |
Addresses Defects 1046385 & 1046340: Out-of-bounds access
Both of these defects are for the second parameter of the `constellation`
class' `map_to_points` function that accepts a pointer to an array of
`gr_complex` values. In both of these defects, a class is calling this function
and passing the address of a single `gr_complex` value in place of an array
pointer. The only reason this isn't exploding with SEGFAULTs is because both of
these functions happen to use the default constructor of `constellation`, which
sets the loop limit in `map_to_points` to `1`. It's generally a dangerous
design, but changing the function prototype seems heavy heanded, and adding
additional conditionals will end up affecting the fast-path. For now, I am just
documenting this oddity in the code.
Diffstat (limited to 'gr-digital/lib/lms_dd_equalizer_cc_impl.cc')
| -rw-r--r-- | gr-digital/lib/lms_dd_equalizer_cc_impl.cc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/gr-digital/lib/lms_dd_equalizer_cc_impl.cc b/gr-digital/lib/lms_dd_equalizer_cc_impl.cc index 530b3aa6fd..296d8feb13 100644 --- a/gr-digital/lib/lms_dd_equalizer_cc_impl.cc +++ b/gr-digital/lib/lms_dd_equalizer_cc_impl.cc @@ -86,6 +86,12 @@ namespace gr { lms_dd_equalizer_cc_impl::error(const gr_complex &out) { gr_complex decision, error; + // The `map_to_points` function will treat `decision` as an array pointer. + // This call is "safe" because `map_to_points` is limited by the + // dimensionality of the constellation. This class calls the + // `constellation` class default constructor, which initializes the + // dimensionality value to `1`. Thus, Only the single `gr_complex` value + // will be dereferenced. d_cnst->map_to_points(d_cnst->decision_maker(&out), &decision); error = decision - out; return error; |