Change in libosmocore[master]: gprs_ns2_vc_fsm: fix nullpointer dereference when sending uintdata

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

dexter gerrit-no-reply at lists.osmocom.org
Wed Jan 20 22:45:47 UTC 2021


dexter has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmocore/+/22349 )


Change subject: gprs_ns2_vc_fsm: fix nullpointer dereference when sending uintdata
......................................................................

gprs_ns2_vc_fsm: fix nullpointer dereference when sending uintdata

the function gprs_ns2_vc_rx() is called from gprs_ns2.c with tp=NULL.
This leads into a null pointer dereference because gprs_ns2_vc_rx() is
accessing tp several times. tp is also handed up into the FSM, with the
exception of unitdata. Apparently for unitdata tp does not exist, so we
can move up the part where unitdata is handed up into the FSM and after
that we can check if tp is NULL to make sure the code which is accessing
it is not executed.

Change-Id: I7d7c95604ba4af4ed4b6019f1d432970225f8d7a
---
M src/gb/gprs_ns2_vc_fsm.c
1 file changed, 12 insertions(+), 4 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/49/22349/1

diff --git a/src/gb/gprs_ns2_vc_fsm.c b/src/gb/gprs_ns2_vc_fsm.c
index d4f4320..7ea7192 100644
--- a/src/gb/gprs_ns2_vc_fsm.c
+++ b/src/gb/gprs_ns2_vc_fsm.c
@@ -756,6 +756,18 @@
 	 *  if not answer STATUS with "NS-VC unknown" */
 	/* TODO: handle BLOCK/UNBLOCK/ALIVE with different VCI */
 
+	if (nsh->pdu_type == NS_PDUT_UNITDATA) {
+		/* UNITDATA have to free msg because it might send the msg layer upwards */
+		osmo_fsm_inst_dispatch(fi, GPRS_NS2_EV_RX_UNITDATA, msg);
+		return 0;
+	}
+
+	if (!tp) {
+		LOGPFSML(fi, LOGL_ERROR, "NSEI=%u Rx %s without TLV IEs\n", nsvc->nse->nsei,
+			 get_value_string(gprs_ns_pdu_strings, nsh->pdu_type));
+		goto out;
+	}
+
 	if (gprs_ns2_validate(nsvc, nsh->pdu_type, msg, tp, &cause)) {
 		if (nsh->pdu_type != NS_PDUT_STATUS) {
 			rc = ns2_tx_status(nsvc, cause, 0, msg);
@@ -814,10 +826,6 @@
 	case NS_PDUT_ALIVE_ACK:
 		osmo_fsm_inst_dispatch(fi, GPRS_NS2_EV_RX_ALIVE_ACK, tp);
 		break;
-	case NS_PDUT_UNITDATA:
-		/* UNITDATA have to free msg because it might send the msg layer upwards */
-		osmo_fsm_inst_dispatch(fi, GPRS_NS2_EV_RX_UNITDATA, msg);
-		return 0;
 	default:
 		LOGPFSML(fi, LOGL_ERROR, "NSEI=%u Rx unknown NS PDU type %s\n", nsvc->nse->nsei,
 			 get_value_string(gprs_ns_pdu_strings, nsh->pdu_type));

-- 
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/22349
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I7d7c95604ba4af4ed4b6019f1d432970225f8d7a
Gerrit-Change-Number: 22349
Gerrit-PatchSet: 1
Gerrit-Owner: dexter <pmaier at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210120/47c6f778/attachment.htm>


More information about the gerrit-log mailing list