This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Harald Welte gerrit-no-reply at lists.osmocom.org
Review at https://gerrit.osmocom.org/1228
bssgp_rx_paging(): Fix parsing of P-TMSI IE in Paging message
This was actually discovered by the following compiler warning in
gcc-6.2.0:
CC gprs_bssgp_bss.lo
gprs_bssgp_bss.c: In function ‘bssgp_rx_paging’:
gprs_bssgp_bss.c:544:2: warning: this ‘if’ clause does not guard...
[-Wmisleading-indentation]
if (TLVP_PRESENT(&tp, BSSGP_IE_TMSI) &&
^~
gprs_bssgp_bss.c:548:3: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’
*(pinfo->ptmsi) = ntohl(*(uint32_t *)
^
This is an actual bug. If we recevied a BSSGP Paging Request without
P-TMSI, we might crash or report some random memory as P-TMSI to the
caller in the output data structure.
Change-Id: Ib4f307827cd7cccc91c1415a6fb5428d7cf8416d
---
M src/gb/gprs_bssgp_bss.c
1 file changed, 2 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/28/1228/1
diff --git a/src/gb/gprs_bssgp_bss.c b/src/gb/gprs_bssgp_bss.c
index 61ed0c4..73c1350 100644
--- a/src/gb/gprs_bssgp_bss.c
+++ b/src/gb/gprs_bssgp_bss.c
@@ -542,11 +542,12 @@
/* Optional (P-)TMSI */
if (TLVP_PRESENT(&tp, BSSGP_IE_TMSI) &&
- TLVP_LEN(&tp, BSSGP_IE_TMSI) >= 4)
+ TLVP_LEN(&tp, BSSGP_IE_TMSI) >= 4) {
if (!pinfo->ptmsi)
pinfo->ptmsi = talloc_zero_size(pinfo, sizeof(uint32_t));
*(pinfo->ptmsi) = ntohl(*(uint32_t *)
TLVP_VAL(&tp, BSSGP_IE_TMSI));
+ }
return 0;
--
To view, visit https://gerrit.osmocom.org/1228
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib4f307827cd7cccc91c1415a6fb5428d7cf8416d
Gerrit-PatchSet: 1
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <laforge at gnumonks.org>