First we add 55500 to an int16_t, then later we subtract it again.
The bug only didn't become apparent as we wrap twice, once adding
then subtracting.
Discovered by Smatch:
firmware/layer1/tpu_window.c +127 l1s_rx_win_ctrl(24) warn: value 55000 can't fit into 32767 'stop'
void l1s_rx_win_ctrl(uint16_t arfcn, enum l1_rxwin_type wtype, uint8_t tn_ofs)
{
- int16_t start, stop;
+ int16_t start;
+ int32_t stop; /* prevent overflow of int16_t in L1_RXWIN_FB */
/* TN offset & TA adjust */
start = DSP_SETUP_TIME;
}
/* Window close for ABB */
- twl3025_downlink(0, stop);
+ twl3025_downlink(0, stop & 0xffff);
/* window close for TRF6151 */
trf6151_set_mode(TRF6151_IDLE);