lchan_fsm: Fix possible NULL ptr dereference in _lchan_on_mode_modify_failure()

_lchan_on_activation_failure(), which calls lchan_on_mode_modify_failure(), already checks for !for_conn in other paths. Hence, it can be that for_conn being passed to _lchan_on_mode_modify_failure() may be null. """ Stack trace of thread 7077: #0 0x000055d25a463842 _lchan_on_mode_modify_failure (osmo-bsc) #1 0x000055d25a46b57c _lchan_on_activation_failure (osmo-bsc) #2 0x00007fe8b2083be4 state_chg (libosmocore.so.17) #3 0x00007fe8b208409d _osmo_fsm_inst_state_chg (libosmocore.so.17) #4 0x000055d25a46825a lchan_fsm_wait_rll_rtp_establish (osmo-bsc) #5 0x00007fe8b2084239 _osmo_fsm_inst_dispatch (libosmocore.so.17) #6 0x00007fe8b2083be4 state_chg (libosmocore.so.17) #7 0x00007fe8b208409d _osmo_fsm_inst_state_chg (libosmocore.so.17) #8 0x000055d25a46dbdc lchan_rtp_fsm_wait_ipacc_mdcx_ack (osmo-bsc) #9 0x00007fe8b2084239 _osmo_fsm_inst_dispatch (libosmocore.so.17) #10 0x000055d25a411d69 abis_rsl_rx_ipacc_mdcx_ack (osmo-bsc) """ Related: SYS#5698 Change-Id: If8b2895feef6e30f9c1db97394dd16d892b277f2
2021-11-04 22:16:30 +01:00 · 2021-11-04 22:16:30 +01:00 · 5dbed8160f
parent 93d84380e9
commit 5dbed8160f
1 changed files with 5 additions and 0 deletions
--- a/src/osmo-bsc/lchan_fsm.c
+++ b/src/osmo-bsc/lchan_fsm.c
@ -97,6 +97,11 @@ static void _lchan_on_mode_modify_failure(struct gsm_lchan *lchan, enum lchan_mo
 	case MODIFY_FOR_ASSIGNMENT:
 		LOG_LCHAN(lchan, LOGL_NOTICE, "Signalling Assignment FSM of error (%s)\n",
 			  lchan->last_error ? : "unknown error");
+		if (!for_conn) {
+			LOG_LCHAN(lchan, LOGL_ERROR, "lchan Channel Mode Modify failed, "
+				  "but modify request has no conn\n");
+			break;
+		}
 		_osmo_fsm_inst_dispatch(for_conn->assignment.fi, ASSIGNMENT_EV_LCHAN_ERROR, lchan,
 					file, line);
 		return;