Coverity issues in lapd_core/gsm mncc

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

Holger Hans Peter Freyther holger at freyther.de
Sat Jul 6 09:42:17 UTC 2013


On Sat, Jul 06, 2013 at 10:05:00AM +0200, Andreas Eversberg wrote:

> this is really wrong. msg may be null. at least it depends on the upper
> layer how to provide msg (NULL or 0-length), see patch.

but we have not hit this case yet (e.g. no re-establishment occured
right now). Do you have an idea of why this doesn't crash right now?

> i think we can remove the check for trans->subscr, since all rx
> functions assume that it is set. instead it makes sense to add a sanity
> check (trans->subscr must be set) to gsm0408_rcv_cc before calling the
> rx function.

okay. I will take care of that.


> also if msg exists with 0 lenght, it will not be used, so it must be
> freed, see patch.

do you think you could extend the LAPD testcase for the case that would
have crashed/leaked right now? msgb_free(NULL) is well defined, this means
you do not need to have a NULL check there.


>  	LOGP(DLLAPD, LOGL_INFO, "perform re-establishment (SABM) length=%d\n",
> -		msg->len);
> +		(msg) ? msg->len : 0);

	why the '(' and ')'?

> +	} else {
> +		if (msg)
> +			msgb_free(msg);

		msgb_free(msg) 

>  		dl->send_buffer = NULL;
> +	}




More information about the OpenBSC mailing list