From ccba3a9e4f34c894020ca26149de4645c1573bf6 Mon Sep 17 00:00:00 2001 From: Pau Espin Pedrol Date: Tue, 22 Nov 2022 18:28:27 +0100 Subject: [PATCH] lcs: Fix passing NULL bsc_subscr to paging_request_cancel() This is triggered by BSC_Tests.TC_lcs_loc_req_no_subscriber. Before, the NULL ptr was not a problem because paging_request_cancel() only used the pointer to compare it against other pointers, but never accessing it. A follow-up patch is, however, changing the implementation to optimize the lookup by using the subscriber pointer, which generates a crash. Related: SYS#6200 Change-Id: Id0de43ac5bde0f52f258de6c9bf58b173301c8db --- src/osmo-bsc/lcs_loc_req.c | 3 ++- src/osmo-bsc/paging.c | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/osmo-bsc/lcs_loc_req.c b/src/osmo-bsc/lcs_loc_req.c index d53f2ab1f..bb0c5e273 100644 --- a/src/osmo-bsc/lcs_loc_req.c +++ b/src/osmo-bsc/lcs_loc_req.c @@ -514,7 +514,8 @@ static void lcs_loc_req_failed_onenter(struct osmo_fsm_inst *fi, uint32_t prev_s }; /* If we're paging this subscriber for LCS, stop paging. */ - paging_request_cancel(lcs_loc_req->conn->bsub, BSC_PAGING_FOR_LCS); + if (lcs_loc_req->conn->bsub) + paging_request_cancel(lcs_loc_req->conn->bsub, BSC_PAGING_FOR_LCS); /* Send Perform Location Abort to SMLC, only if we got started on the Lb */ if (lcs_loc_req->conn->lcs.lb.state == SUBSCR_SCCP_ST_CONNECTED) diff --git a/src/osmo-bsc/paging.c b/src/osmo-bsc/paging.c index e1290f5cb..b73578e37 100644 --- a/src/osmo-bsc/paging.c +++ b/src/osmo-bsc/paging.c @@ -578,6 +578,7 @@ void paging_request_stop(struct bsc_msc_data **msc_p, enum bsc_paging_reason *re void paging_request_cancel(struct bsc_subscr *bsub, enum bsc_paging_reason reasons) { struct gsm_bts *bts; + OSMO_ASSERT(bsub); llist_for_each_entry(bts, &bsc_gsmnet->bts_list, list) { struct gsm_paging_request *req, *req2;