aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhilipp Maier <pmaier@sysmocom.de>2021-01-20 23:40:14 +0100
committerPhilipp Maier <pmaier@sysmocom.de>2021-01-22 21:06:28 +0100
commitb6a04990ab2dbabefe334faea4d7e22555efcbbd (patch)
tree335d0acb14078611b737e28bcebc050aa480d524
parentcf11411ebb2f0ecb4297b3357c38f34415d6fedc (diff)
gprs_ns2_vc_fsm: fix nullpointer dereference when sending uintdatapmaier/rim3
the function gprs_ns2_vc_rx() is called from gprs_ns2.c with tp=NULL. This leads into a null pointer dereference because gprs_ns2_vc_rx() is accessing tp several times. tp is also handed up into the FSM, with the exception of unitdata. Apparently for unitdata tp does not exist, so we can move up the part where unitdata is handed up into the FSM and after that we can check if tp is NULL to make sure the code which is accessing it is not executed. Change-Id: I7d7c95604ba4af4ed4b6019f1d432970225f8d7a
-rw-r--r--src/gb/gprs_ns2_vc_fsm.c14
1 files changed, 10 insertions, 4 deletions
diff --git a/src/gb/gprs_ns2_vc_fsm.c b/src/gb/gprs_ns2_vc_fsm.c
index fc2a86a8..978ff268 100644
--- a/src/gb/gprs_ns2_vc_fsm.c
+++ b/src/gb/gprs_ns2_vc_fsm.c
@@ -756,6 +756,16 @@ int gprs_ns2_vc_rx(struct gprs_ns2_vc *nsvc, struct msgb *msg, struct tlv_parsed
/* TODO: handle RESET with different VCI */
/* TODO: handle BLOCK/UNBLOCK/ALIVE with different VCI */
+ if (nsh->pdu_type == NS_PDUT_UNITDATA) {
+ /* UNITDATA have to free msg because it might send the msg layer upwards */
+ osmo_fsm_inst_dispatch(fi, GPRS_NS2_EV_RX_UNITDATA, msg);
+ return 0;
+ }
+
+ /* pdu_type set to NS_PDUT_UNITDATA is the only case where *tp may be
+ * NULL, in all other cases *tp must point to valid memory. */
+ OSMO_ASSERT(tp);
+
if (gprs_ns2_validate(nsvc, nsh->pdu_type, msg, tp, &cause)) {
if (nsh->pdu_type != NS_PDUT_STATUS) {
rc = ns2_tx_status(nsvc, cause, 0, msg);
@@ -788,10 +798,6 @@ int gprs_ns2_vc_rx(struct gprs_ns2_vc *nsvc, struct msgb *msg, struct tlv_parsed
case NS_PDUT_ALIVE_ACK:
osmo_fsm_inst_dispatch(fi, GPRS_NS2_EV_RX_ALIVE_ACK, tp);
break;
- case NS_PDUT_UNITDATA:
- /* UNITDATA have to free msg because it might send the msg layer upwards */
- osmo_fsm_inst_dispatch(fi, GPRS_NS2_EV_RX_UNITDATA, msg);
- return 0;
default:
LOGPFSML(fi, LOGL_ERROR, "NSEI=%u Rx unknown NS PDU type %s\n", nsvc->nse->nsei,
get_value_string(gprs_ns_pdu_strings, nsh->pdu_type));