From b535e391b0f1d030373159ddbf54483d7fa54763 Mon Sep 17 00:00:00 2001 From: Jacob Erlbeck Date: Tue, 7 Apr 2015 17:52:44 +0200 Subject: bssgp: Ensure non-NULL bctx before calling bssgp_rx_ptp (Coverity) Currently bssgp_rx_ptp might be called with bctx being NULL, when the NS BVCI is neither BVCI_SIGNALLING nor BVCI_PTM, but the message is a BVC_RESET or it contains an BVCI IE != BVCI_SIGNALLING where the BVCI is not known. This patch ensures that bssgp_rx_ptp will only be called with a non-NULL bctx. A log message will be issued, if the bctx is NULL when this was not expected. Fixes: Coverity CID 1040674 Sponsored-by: On-Waves ehf --- src/gb/gprs_bssgp.c | 7 ++++++- tests/gb/gprs_bssgp_test.c | 17 +++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/src/gb/gprs_bssgp.c b/src/gb/gprs_bssgp.c index a3fd6aa8..4c93b694 100644 --- a/src/gb/gprs_bssgp.c +++ b/src/gb/gprs_bssgp.c @@ -1073,8 +1073,13 @@ int bssgp_rcvmsg(struct msgb *msg) rc = bssgp_rx_sign(msg, &tp, bctx); else if (ns_bvci == BVCI_PTM) rc = bssgp_tx_status(BSSGP_CAUSE_PDU_INCOMP_FEAT, NULL, msg); - else + else if (bctx) rc = bssgp_rx_ptp(msg, &tp, bctx); + else + LOGP(DBSSGP, LOGL_NOTICE, + "NSEI=%u/BVCI=%u Cannot handle PDU type %u for " + "unknown BVCI, NS BVCI %u\n", + msgb_nsei(msg), bvci, pdu_type, ns_bvci); return rc; } diff --git a/tests/gb/gprs_bssgp_test.c b/tests/gb/gprs_bssgp_test.c index 3d1384b7..b454430b 100644 --- a/tests/gb/gprs_bssgp_test.c +++ b/tests/gb/gprs_bssgp_test.c @@ -159,6 +159,22 @@ static void test_bssgp_status(void) printf("----- %s END\n", __func__); } +static void test_bssgp_bad_reset() +{ + struct msgb *msg = bssgp_msgb_alloc(); + uint16_t bvci_be = htons(2); + uint8_t cause = BSSGP_CAUSE_OML_INTERV; + + msgb_v_put(msg, BSSGP_PDUT_BVC_RESET); + msgb_tvlv_put(msg, BSSGP_IE_BVCI, sizeof(bvci_be), (uint8_t *)&bvci_be); + msgb_tvlv_put(msg, BSSGP_IE_CAUSE, sizeof(cause), &cause); + + msgb_bvci(msg) = 0xbad; + + msgb_bssgp_send_and_free(msg); +} + + static struct log_info info = {}; int main(int argc, char **argv) @@ -181,6 +197,7 @@ int main(int argc, char **argv) printf("===== BSSGP test START\n"); test_bssgp_suspend_resume(); test_bssgp_status(); + test_bssgp_bad_reset(); printf("===== BSSGP test END\n\n"); exit(EXIT_SUCCESS); -- cgit v1.2.3