[PATCH 2/3] bssgp: Ensure non-NULL bctx before calling bssgp_rx_ptp (Coverity)

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

Jacob Erlbeck jerlbeck at sysmocom.de
Tue Apr 7 15:52:44 UTC 2015 

Currently bssgp_rx_ptp might be called with bctx being NULL, when the
NS BVCI is neither BVCI_SIGNALLING nor BVCI_PTM, but the message is
a BVC_RESET or it contains an BVCI IE != BVCI_SIGNALLING where the
BVCI is not known.

This patch ensures that bssgp_rx_ptp will only be called with a
non-NULL bctx. A log message will be issued, if the bctx is NULL when
this was not expected.

Fixes: Coverity CID 1040674
Sponsored-by: On-Waves ehf
---
 src/gb/gprs_bssgp.c        |  7 ++++++-
 tests/gb/gprs_bssgp_test.c | 17 +++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/gb/gprs_bssgp.c b/src/gb/gprs_bssgp.c
index a3fd6aa..4c93b69 100644
--- a/src/gb/gprs_bssgp.c
+++ b/src/gb/gprs_bssgp.c
@@ -1073,8 +1073,13 @@ int bssgp_rcvmsg(struct msgb *msg)
 		rc = bssgp_rx_sign(msg, &tp, bctx);
 	else if (ns_bvci == BVCI_PTM)
 		rc = bssgp_tx_status(BSSGP_CAUSE_PDU_INCOMP_FEAT, NULL, msg);
-	else
+	else if (bctx)
 		rc = bssgp_rx_ptp(msg, &tp, bctx);
+	else
+		LOGP(DBSSGP, LOGL_NOTICE,
+			"NSEI=%u/BVCI=%u Cannot handle PDU type %u for "
+			"unknown BVCI, NS BVCI %u\n",
+			msgb_nsei(msg), bvci, pdu_type, ns_bvci);
 
 	return rc;
 }
diff --git a/tests/gb/gprs_bssgp_test.c b/tests/gb/gprs_bssgp_test.c
index 3d1384b..b454430 100644
--- a/tests/gb/gprs_bssgp_test.c
+++ b/tests/gb/gprs_bssgp_test.c
@@ -159,6 +159,22 @@ static void test_bssgp_status(void)
 	printf("----- %s END\n", __func__);
 }
 
+static void test_bssgp_bad_reset()
+{
+	struct msgb *msg = bssgp_msgb_alloc();
+	uint16_t bvci_be = htons(2);
+	uint8_t cause = BSSGP_CAUSE_OML_INTERV;
+
+	msgb_v_put(msg, BSSGP_PDUT_BVC_RESET);
+	msgb_tvlv_put(msg, BSSGP_IE_BVCI, sizeof(bvci_be), (uint8_t *)&bvci_be);
+	msgb_tvlv_put(msg, BSSGP_IE_CAUSE, sizeof(cause), &cause);
+
+	msgb_bvci(msg) = 0xbad;
+
+	msgb_bssgp_send_and_free(msg);
+}
+
+
 static struct log_info info = {};
 
 int main(int argc, char **argv)
@@ -181,6 +197,7 @@ int main(int argc, char **argv)
 	printf("===== BSSGP test START\n");
 	test_bssgp_suspend_resume();
 	test_bssgp_status();
+	test_bssgp_bad_reset();
 	printf("===== BSSGP test END\n\n");
 
 	exit(EXIT_SUCCESS);
-- 
1.9.1

More information about the OpenBSC mailing list