Change in ...osmo-hlr[master]: hlr_ussd.c: rx_proc_ss_req(): fix NULL pointer dereference

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

fixeria gerrit-no-reply at lists.osmocom.org
Wed Jul 24 12:19:02 UTC 2019 

fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-hlr/+/14925


Change subject: hlr_ussd.c: rx_proc_ss_req(): fix NULL pointer dereference
......................................................................

hlr_ussd.c: rx_proc_ss_req(): fix NULL pointer dereference

The SS payload is mandatory for GSUP PROC_SS_{REQ,RSP} messages
with session state BEGIN or CONTINUE, and optional for the END.

Make sure that it's present for both BEGIN and CONTINUE, consider
received message as incorrect otherwise. In case of the END, call
handle_ussd() / handle_ss() only if SS payload is present.

Change-Id: Ia71cabbf396bd1388e764a1749e953ac1782e307
Fixes: CID#188841
---
M src/hlr_ussd.c
1 file changed, 16 insertions(+), 6 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-hlr refs/changes/25/14925/1

diff --git a/src/hlr_ussd.c b/src/hlr_ussd.c
index 773c571..1568815 100644
--- a/src/hlr_ussd.c
+++ b/src/hlr_ussd.c
@@ -519,6 +519,11 @@
 			/* FIXME: Send a Reject component? */
 			goto out_err;
 		}
+	} else if (gsup->session_state != OSMO_GSUP_SESSION_STATE_END) {
+		LOGP(DSS, LOGL_ERROR, "%s/0x%082x: Missing SS payload for '%s'\n",
+		     gsup->imsi, gsup->session_id,
+		     osmo_gsup_session_state_name(gsup->session_state));
+		goto out_err;
 	}
 
 	switch (gsup->session_state) {
@@ -606,13 +611,18 @@
 				gsup->imsi, gsup->session_id);
 			goto out_err;
 		}
-		if (ss_op_is_ussd(req.opcode)) {
-			/* dispatch unstructured SS to routing */
-			handle_ussd(conn, ss, gsup, &req);
-		} else {
-			/* dispatch non-call SS to internal code */
-			handle_ss(ss, gsup, &req);
+
+		/* SS payload is optional for END */
+		if (gsup->ss_info && gsup->ss_info_len) {
+			if (ss_op_is_ussd(req.opcode)) {
+				/* dispatch unstructured SS to routing */
+				handle_ussd(conn, ss, gsup, &req);
+			} else {
+				/* dispatch non-call SS to internal code */
+				handle_ss(ss, gsup, &req);
+			}
 		}
+
 		ss_session_free(ss);
 		break;
 	default:

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-hlr/+/14925
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-hlr
Gerrit-Branch: master
Gerrit-Change-Id: Ia71cabbf396bd1388e764a1749e953ac1782e307
Gerrit-Change-Number: 14925
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <axilirator at gmail.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190724/5d1aa84d/attachment.htm>

More information about the gerrit-log mailing list