This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
dexter gerrit-no-reply at lists.osmocom.orgdexter has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmocore/+/22349 ) Change subject: gprs_ns2_vc_fsm: fix nullpointer dereference when sending uintdata ...................................................................... gprs_ns2_vc_fsm: fix nullpointer dereference when sending uintdata the function gprs_ns2_vc_rx() is called from gprs_ns2.c with tp=NULL. This leads into a null pointer dereference because gprs_ns2_vc_rx() is accessing tp several times. tp is also handed up into the FSM, with the exception of unitdata. Apparently for unitdata tp does not exist, so we can move up the part where unitdata is handed up into the FSM and after that we can check if tp is NULL to make sure the code which is accessing it is not executed. Change-Id: I7d7c95604ba4af4ed4b6019f1d432970225f8d7a --- M src/gb/gprs_ns2_vc_fsm.c 1 file changed, 12 insertions(+), 4 deletions(-) git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/49/22349/1 diff --git a/src/gb/gprs_ns2_vc_fsm.c b/src/gb/gprs_ns2_vc_fsm.c index d4f4320..7ea7192 100644 --- a/src/gb/gprs_ns2_vc_fsm.c +++ b/src/gb/gprs_ns2_vc_fsm.c @@ -756,6 +756,18 @@ * if not answer STATUS with "NS-VC unknown" */ /* TODO: handle BLOCK/UNBLOCK/ALIVE with different VCI */ + if (nsh->pdu_type == NS_PDUT_UNITDATA) { + /* UNITDATA have to free msg because it might send the msg layer upwards */ + osmo_fsm_inst_dispatch(fi, GPRS_NS2_EV_RX_UNITDATA, msg); + return 0; + } + + if (!tp) { + LOGPFSML(fi, LOGL_ERROR, "NSEI=%u Rx %s without TLV IEs\n", nsvc->nse->nsei, + get_value_string(gprs_ns_pdu_strings, nsh->pdu_type)); + goto out; + } + if (gprs_ns2_validate(nsvc, nsh->pdu_type, msg, tp, &cause)) { if (nsh->pdu_type != NS_PDUT_STATUS) { rc = ns2_tx_status(nsvc, cause, 0, msg); @@ -814,10 +826,6 @@ case NS_PDUT_ALIVE_ACK: osmo_fsm_inst_dispatch(fi, GPRS_NS2_EV_RX_ALIVE_ACK, tp); break; - case NS_PDUT_UNITDATA: - /* UNITDATA have to free msg because it might send the msg layer upwards */ - osmo_fsm_inst_dispatch(fi, GPRS_NS2_EV_RX_UNITDATA, msg); - return 0; default: LOGPFSML(fi, LOGL_ERROR, "NSEI=%u Rx unknown NS PDU type %s\n", nsvc->nse->nsei, get_value_string(gprs_ns_pdu_strings, nsh->pdu_type)); -- To view, visit https://gerrit.osmocom.org/c/libosmocore/+/22349 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmocore Gerrit-Branch: master Gerrit-Change-Id: I7d7c95604ba4af4ed4b6019f1d432970225f8d7a Gerrit-Change-Number: 22349 Gerrit-PatchSet: 1 Gerrit-Owner: dexter <pmaier at sysmocom.de> Gerrit-MessageType: newchange -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210120/47c6f778/attachment.htm>