gprs_ns2_vc_fsm: fix nullpointer dereference when sending uintdatapmaier/rim3

the function gprs_ns2_vc_rx() is called from gprs_ns2.c with tp=NULL.
This leads into a null pointer dereference because gprs_ns2_vc_rx() is
accessing tp several times. tp is also handed up into the FSM, with the
exception of unitdata. Apparently for unitdata tp does not exist, so we
can move up the part where unitdata is handed up into the FSM and after
that we can check if tp is NULL to make sure the code which is accessing
it is not executed.

Change-Id: I7d7c95604ba4af4ed4b6019f1d432970225f8d7a

1 files changed, 10 insertions, 4 deletions

diff --git a/src/gb/gprs_ns2_vc_fsm.c b/src/gb/gprs_ns2_vc_fsm.c
index fc2a86a8..978ff268 100644
--- a/src/gb/gprs_ns2_vc_fsm.c
+++ b/src/gb/gprs_ns2_vc_fsm.c
@@ -756,6 +756,16 @@ int gprs_ns2_vc_rx(struct gprs_ns2_vc *nsvc, struct msgb *msg, struct tlv_parsed
 	/* TODO: handle RESET with different VCI */
 	/* TODO: handle BLOCK/UNBLOCK/ALIVE with different VCI */
 
+	if (nsh->pdu_type == NS_PDUT_UNITDATA) {
+		/* UNITDATA have to free msg because it might send the msg layer upwards */
+		osmo_fsm_inst_dispatch(fi, GPRS_NS2_EV_RX_UNITDATA, msg);
+		return 0;
+	}
+
+	/* pdu_type set to NS_PDUT_UNITDATA is the only case where *tp may be
+	 * NULL, in all other cases *tp must point to valid memory. */
+	OSMO_ASSERT(tp);
+
 	if (gprs_ns2_validate(nsvc, nsh->pdu_type, msg, tp, &cause)) {
 		if (nsh->pdu_type != NS_PDUT_STATUS) {
 			rc = ns2_tx_status(nsvc, cause, 0, msg);
@@ -788,10 +798,6 @@ int gprs_ns2_vc_rx(struct gprs_ns2_vc *nsvc, struct msgb *msg, struct tlv_parsed
 	case NS_PDUT_ALIVE_ACK:
 		osmo_fsm_inst_dispatch(fi, GPRS_NS2_EV_RX_ALIVE_ACK, tp);
 		break;
-	case NS_PDUT_UNITDATA:
-		/* UNITDATA have to free msg because it might send the msg layer upwards */
-		osmo_fsm_inst_dispatch(fi, GPRS_NS2_EV_RX_UNITDATA, msg);
-		return 0;
 	default:
 		LOGPFSML(fi, LOGL_ERROR, "NSEI=%u Rx unknown NS PDU type %s\n", nsvc->nse->nsei,
 			 get_value_string(gprs_ns_pdu_strings, nsh->pdu_type));