[MERGED] osmo-msc[master]: msc_cipher_mode_compl: Handle CIPH MOD COMPL without L3 message

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Wed Jan 24 22:30:12 UTC 2018 

Harald Welte has submitted this change and it was merged.

Change subject: msc_cipher_mode_compl: Handle CIPH MOD COMPL without L3 message
......................................................................


msc_cipher_mode_compl: Handle CIPH MOD COMPL without L3 message

According to TS 44.008 Section 3.2.1.31, the "Layer 3 Message Contents"
IE of the BSSMAP Cipher Mode Complete is optional. The BSC may hence
inlcude that IE or not include it.

Without this patch, OsmoMSC is crashing if that IE was missing:

<000a> a_iface_bssap.c:699 Rx BSC DT: 00 03 55 2c 02
<000a> a_iface_bssap.c:629 Rx MSC DT1 BSSMAP CIPHER MODE COMPLETE
<001f> a_iface_bssap.c:91 Found A subscriber for conn_id 1
<000a> a_iface_bssap.c:415 BSC sends cipher mode complete (conn_id=1)
==5611== Invalid read of size 8
==5611==    at 0x128D0F: msc_cipher_mode_compl (osmo_msc.c:159)
==5611==    by 0x114F62: bssmap_rx_ciph_compl.isra.8 (a_iface_bssap.c:432)
==5611==    by 0x113267: sccp_sap_up (a_iface.c:520)

Change-Id: I722f9b468b157b3736918f090daaa9489a6028ee
Closes: OS#2871
---
M src/libmsc/osmo_msc.c
1 file changed, 26 insertions(+), 26 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/libmsc/osmo_msc.c b/src/libmsc/osmo_msc.c
index 2a868a8..755f8aa 100644
--- a/src/libmsc/osmo_msc.c
+++ b/src/libmsc/osmo_msc.c
@@ -156,43 +156,43 @@
 void msc_cipher_mode_compl(struct gsm_subscriber_connection *conn,
 			   struct msgb *msg, uint8_t alg_id)
 {
-	struct gsm48_hdr *gh = msgb_l3(msg);
-	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
-	struct tlv_parsed tp;
-	uint8_t mi_type;
-	char imeisv[GSM48_MI_SIZE] = "";
 	struct vlr_ciph_result ciph_res = { .cause = VLR_CIPH_REJECT };
 
-	if (!gh) {
-		LOGP(DRR, LOGL_ERROR, "invalid: msgb without l3 header\n");
-		return;
-	}
-
 	if (!conn) {
-		LOGP(DRR, LOGL_ERROR,
-		     "invalid: rx Ciphering Mode Complete on NULL conn\n");
+		LOGP(DRR, LOGL_ERROR, "invalid: rx Ciphering Mode Complete on NULL conn\n");
 		return;
 	}
 	if (!conn->vsub) {
-		LOGP(DRR, LOGL_ERROR,
-		     "invalid: rx Ciphering Mode Complete for NULL subscr\n");
+		LOGP(DRR, LOGL_ERROR, "invalid: rx Ciphering Mode Complete for NULL subscr\n");
 		return;
 	}
 
-	DEBUGP(DRR, "%s: CIPHERING MODE COMPLETE\n",
-	       vlr_subscr_name(conn->vsub));
+	DEBUGP(DRR, "%s: CIPHERING MODE COMPLETE\n", vlr_subscr_name(conn->vsub));
 
-	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
+	if (msg) {
+		struct gsm48_hdr *gh = msgb_l3(msg);
+		unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
+		struct tlv_parsed tp;
+		uint8_t mi_type;
+		char imeisv[GSM48_MI_SIZE] = "";
 
-	/* bearer capability */
-	if (TLVP_PRESENT(&tp, GSM48_IE_MOBILE_ID)) {
-		mi_type = TLVP_VAL(&tp, GSM48_IE_MOBILE_ID)[0] & GSM_MI_TYPE_MASK;
-		if (mi_type == GSM_MI_TYPE_IMEISV
-		    && TLVP_LEN(&tp, GSM48_IE_MOBILE_ID) > 0) {
-			gsm48_mi_to_string(imeisv, sizeof(imeisv),
-					   TLVP_VAL(&tp, GSM48_IE_MOBILE_ID),
-					   TLVP_LEN(&tp, GSM48_IE_MOBILE_ID));
-			ciph_res.imeisv = imeisv;
+		if (!gh) {
+			LOGP(DRR, LOGL_ERROR, "invalid: msgb without l3 header\n");
+			return;
+		}
+
+		tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
+
+		/* bearer capability */
+		if (TLVP_PRESENT(&tp, GSM48_IE_MOBILE_ID)) {
+			mi_type = TLVP_VAL(&tp, GSM48_IE_MOBILE_ID)[0] & GSM_MI_TYPE_MASK;
+			if (mi_type == GSM_MI_TYPE_IMEISV
+			    && TLVP_LEN(&tp, GSM48_IE_MOBILE_ID) > 0) {
+				gsm48_mi_to_string(imeisv, sizeof(imeisv),
+						   TLVP_VAL(&tp, GSM48_IE_MOBILE_ID),
+						   TLVP_LEN(&tp, GSM48_IE_MOBILE_ID));
+				ciph_res.imeisv = imeisv;
+			}
 		}
 	}
 

-- 
To view, visit https://gerrit.osmocom.org/6034
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I722f9b468b157b3736918f090daaa9489a6028ee
Gerrit-PatchSet: 3
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder

More information about the gerrit-log mailing list