From faeea348d6245fd7625bcb718a583283bc09f99d Mon Sep 17 00:00:00 2001
From: Pau Espin Pedrol <pespin@sysmocom.de>
Date: Tue, 17 Jul 2018 18:08:54 +0200
Subject: sgsn: subscriber: Avoid calling memcpy with NULL src

Fixes: OS#3389

Change-Id: I2d1c01ed8b8d2233ced6d70972183ed4fc99007a
---
 src/gprs/gprs_subscriber.c |  6 +++++-
 src/gprs/sgsn_libgtp.c     | 27 +++++++++++++++++----------
 2 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/src/gprs/gprs_subscriber.c b/src/gprs/gprs_subscriber.c
index 1bebc6526..dfd697b72 100644
--- a/src/gprs/gprs_subscriber.c
+++ b/src/gprs/gprs_subscriber.c
@@ -374,7 +374,11 @@ static void gprs_subscr_gsup_insert_data(struct gprs_subscr *subscr,
 		pdp_data->pdp_type = pdp_info->pdp_type;
 		osmo_apn_to_str(pdp_data->apn_str,
 				pdp_info->apn_enc, pdp_info->apn_enc_len);
-		memcpy(pdp_data->qos_subscribed, pdp_info->qos_enc, pdp_info->qos_enc_len);
+
+		if (pdp_info->qos_enc) {
+			memcpy(&pdp_data->qos_subscribed[0], pdp_info->qos_enc,
+			       pdp_info->qos_enc_len);
+		}
 		pdp_data->qos_subscribed_len = pdp_info->qos_enc_len;
 
 		if (pdp_info->pdp_charg_enc && pdp_info->pdp_charg_enc_len >= sizeof(pdp_data->pdp_charg)) {
diff --git a/src/gprs/sgsn_libgtp.c b/src/gprs/sgsn_libgtp.c
index 659392ee8..23b881100 100644
--- a/src/gprs/sgsn_libgtp.c
+++ b/src/gprs/sgsn_libgtp.c
@@ -198,18 +198,25 @@ struct sgsn_pdp_ctx *sgsn_create_pdp_ctx(struct sgsn_ggsn_ctx *ggsn,
 	pdp->eua.v[0] |= 0xf0;
 
 	/* APN name from GMM */
-	pdp->apn_use.l = TLVP_LEN(tp, GSM48_IE_GSM_APN);
-	if (pdp->apn_use.l > sizeof(pdp->apn_use.v))
-		pdp->apn_use.l = sizeof(pdp->apn_use.v);
-	memcpy(pdp->apn_use.v, TLVP_VAL(tp, GSM48_IE_GSM_APN),
-		pdp->apn_use.l);
+	if (TLVP_PRESENT(tp, GSM48_IE_GSM_APN)) {
+		pdp->apn_use.l = TLVP_LEN(tp, GSM48_IE_GSM_APN);
+		if (pdp->apn_use.l > sizeof(pdp->apn_use.v))
+			pdp->apn_use.l = sizeof(pdp->apn_use.v);
+		memcpy(pdp->apn_use.v, TLVP_VAL(tp, GSM48_IE_GSM_APN), pdp->apn_use.l);
+	} else {
+		pdp->apn_use.l = 0;
+	}
 
 	/* Protocol Configuration Options from GMM */
-	pdp->pco_req.l = TLVP_LEN(tp, GSM48_IE_GSM_PROTO_CONF_OPT);
-	if (pdp->pco_req.l > sizeof(pdp->pco_req.v))
-		pdp->pco_req.l = sizeof(pdp->pco_req.v);
-	memcpy(pdp->pco_req.v, TLVP_VAL(tp, GSM48_IE_GSM_PROTO_CONF_OPT),
-		pdp->pco_req.l);
+	if (TLVP_PRESENT(tp, GSM48_IE_GSM_PROTO_CONF_OPT)) {
+		pdp->pco_req.l = TLVP_LEN(tp, GSM48_IE_GSM_PROTO_CONF_OPT);
+		if (pdp->pco_req.l > sizeof(pdp->pco_req.v))
+			pdp->pco_req.l = sizeof(pdp->pco_req.v);
+		memcpy(pdp->pco_req.v, TLVP_VAL(tp, GSM48_IE_GSM_PROTO_CONF_OPT),
+		       pdp->pco_req.l);
+	} else {
+		pdp->pco_req.l = 0;
+	}
 
 	/* QoS options from GMM or remote */
 	if (TLVP_LEN(tp, OSMO_IE_GSM_SUB_QOS) > 0) {
-- 
cgit v1.2.3