[MERGED] openbsc[master]: gsm0408_rcv_cc: guard against NULL subscriber

Neels Hofmeyr gerrit-no-reply at lists.osmocom.org
Thu Feb 2 23:37:23 UTC 2017


Neels Hofmeyr has submitted this change and it was merged.

Change subject: gsm0408_rcv_cc: guard against NULL subscriber
......................................................................


gsm0408_rcv_cc: guard against NULL subscriber

Check conn->subscr against NULL.

gsm0408_rcv_cc() dereferences many conn members without checking presence: the
bts and lchan members may be expected to be NULL in the ongoing MSC split and
3G developments.

But the conn->subscr is initially NULL, so an MS sending a CC message before
something like a LU or CM Service Request will result in a segfault. Prevent
that.

Note: the upcoming VLR will be more restrictive on what messages are processed,
this is a "backport" to the situation on current master.

Change-Id: If067db7cc0dd3210d9eb1da15be6b637795a3ecf
---
M openbsc/src/libmsc/gsm_04_08.c
1 file changed, 5 insertions(+), 0 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved



diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c
index 1e25754..8380710 100644
--- a/openbsc/src/libmsc/gsm_04_08.c
+++ b/openbsc/src/libmsc/gsm_04_08.c
@@ -3605,6 +3605,11 @@
 		return -EINVAL;
 	}
 
+	if (!conn->subscr) {
+		LOGP(DCC, LOGL_ERROR, "Invalid conn, no subscriber\n");
+		return -EINVAL;
+	}
+
 	/* Find transaction */
 	trans = trans_find_by_id(conn, GSM48_PDISC_CC, transaction_id);
 

-- 
To view, visit https://gerrit.osmocom.org/1662
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: If067db7cc0dd3210d9eb1da15be6b637795a3ecf
Gerrit-PatchSet: 6
Gerrit-Project: openbsc
Gerrit-Branch: master
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder


More information about the gerrit-log mailing list