Change in osmo-msc[master]: libmsc/gsm_04_11.c: fix NULL-pointer dereference in gsm340_rx_tpdu()

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Mon May 13 20:15:06 UTC 2019 

Harald Welte has submitted this change and it was merged. ( https://gerrit.osmocom.org/13978 )

Change subject: libmsc/gsm_04_11.c: fix NULL-pointer dereference in gsm340_rx_tpdu()
......................................................................

libmsc/gsm_04_11.c: fix NULL-pointer dereference in gsm340_rx_tpdu()

Change-Id: I1e9b351e949efe596295d18f98c8a73c8e013763
Fixes: CID#198451
---
M src/libmsc/gsm_04_11.c
1 file changed, 17 insertions(+), 6 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/libmsc/gsm_04_11.c b/src/libmsc/gsm_04_11.c
index c5c3036..a3b3830 100644
--- a/src/libmsc/gsm_04_11.c
+++ b/src/libmsc/gsm_04_11.c
@@ -457,14 +457,25 @@
 	uint8_t da_len_bytes;
 	uint8_t address_lv[12]; /* according to 03.40 / 9.1.2.5 */
 	int rc = 0;
-	struct msc_a *msc_a = trans->msc_a;
-	struct gsm_network *net = msc_a_net(msc_a);
-	struct vlr_subscr *vsub = msc_a_vsub(msc_a);
+	struct gsm_network *net;
+	struct vlr_subscr *vsub;
 
-	rate_ctr_inc(&net->msc_ctrs->ctr[MSC_CTR_SMS_SUBMITTED]);
-
-	if (!msc_a || !vsub)
+	if (!trans->msc_a) {
+		LOG_TRANS(trans, LOGL_ERROR, "Insufficient info to process TPDU: "
+					     "MSC-A role is NULL?!?\n");
 		return GSM411_RP_CAUSE_MO_NET_OUT_OF_ORDER;
+	}
+
+	net = msc_a_net(trans->msc_a);
+	vsub = msc_a_vsub(trans->msc_a);
+	if (!net || !vsub) {
+		LOG_TRANS(trans, LOGL_ERROR, "Insufficient info to process TPDU: "
+					     "gsm_network and/or vlr_subscr is NULL?!?\n");
+		return GSM411_RP_CAUSE_MO_NET_OUT_OF_ORDER;
+	}
+
+	/* FIXME: should we do this on success, after all checks? */
+	rate_ctr_inc(&net->msc_ctrs->ctr[MSC_CTR_SMS_SUBMITTED]);
 
 	gsms = sms_alloc();
 	if (!gsms)

-- 
To view, visit https://gerrit.osmocom.org/13978
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I1e9b351e949efe596295d18f98c8a73c8e013763
Gerrit-Change-Number: 13978
Gerrit-PatchSet: 4
Gerrit-Owner: Vadim Yanitskiy <axilirator at gmail.com>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder (1000002)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190513/5a25f05f/attachment.htm>

More information about the gerrit-log mailing list