In some places, the return value of msgb_alloc/msgb_alloc_headroom
is not checked before it is dereferenced.
This commit adds NULL checks to return with -ENOMEM from the calling
functions if the alloc function has failed.
Fixes: Coverity CID 1249692, 1293376
Sponsored-by: On-Waves ehf
---
src/gsm/lapdm.c | 3 +++
src/sim/reader.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c
index 698f850..54d3a0b 100644
--- a/src/gsm/lapdm.c
+++ b/src/gsm/lapdm.c
@@ -675,6 +675,9 @@ static int l2_ph_rach_ind(struct lapdm_entity *le, uint8_t ra,
uint32_t fn, uint
struct gsm_time gt;
struct msgb *msg = msgb_alloc_headroom(512, 64, "RSL CHAN RQD");
+ if (!msg)
+ return -ENOMEM;
+
msg->l2h = msgb_push(msg, sizeof(*ch));
ch = (struct abis_rsl_cchan_hdr *)msg->l2h;
rsl_init_cchan_hdr(ch, RSL_MT_CHAN_RQD);
diff --git a/src/sim/reader.c b/src/sim/reader.c
index 160f175..e7169b5 100644
--- a/src/sim/reader.c
+++ b/src/sim/reader.c
@@ -58,6 +58,9 @@ static int transceive_apdu_t0(struct osim_card_hdl *st, struct msgb
*amsg)
uint16_t sw;
int rc, num_resp = 0;
+ if (!tmsg)
+ return -ENOMEM;
+
/* create TPDU header from APDU header */
tpduh = (struct osim_apdu_cmd_hdr *) msgb_put(tmsg, sizeof(*tpduh));
memcpy(tpduh, msgb_apdu_h(amsg), sizeof(*tpduh));
--
1.9.1
Show replies by date
Currently out-of-memory is not handled by bssgp_msgb_alloc, leading
to SEGV failures if msgb_alloc_headroom returns NULL.
This commit adds an OSMO_ASSERT to catch this case, which improves
the situation only slightly. But bssgp_msgb_alloc is used in many
places without checking the return value, so just adding a
conditional early NULL return would not fix the issue either.
Fixes: Coverity CID 1293377
Sponsored-by: On-Waves ehf
---
src/gb/gprs_bssgp_util.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/gb/gprs_bssgp_util.c b/src/gb/gprs_bssgp_util.c
index fe66f46..3c42e4d 100644
--- a/src/gb/gprs_bssgp_util.c
+++ b/src/gb/gprs_bssgp_util.c
@@ -71,6 +71,10 @@ const char *bssgp_cause_str(enum gprs_bssgp_cause cause)
struct msgb *bssgp_msgb_alloc(void)
{
struct msgb *msg = msgb_alloc_headroom(4096, 128, "BSSGP");
+
+ /* TODO: Add handling of msg == NULL to this function and to all callers */
+ OSMO_ASSERT(msg != NULL);
+
msgb_bssgph(msg) = msg->data;
return msg;
}
--
1.9.1