cellular-infrastructure
/
osmo-gbproxy
mirror of https://gerrit.osmocom.org/osmo-gbproxy
9
0
Fork 0
Code Issues Releases Wiki Activity

gprs: Handle empty GSUP messages correctly 

Currently, the gprs_gsup_decode function doesn't check the return
value of gprs_shift_v_fixed before using the value pointer. The
function fails, if the GSUP message length (not including IPA
headers) is 0. In this case, a segfault can happen, depending on the
value of the uninitialized 'value' pointer. The test case doesn't
trigger a segfault, but valgrind complains about reading
uninitialized data.

This patch adds a check for the return value that would return with
an error code if the shift function failed.

Sponsored-by: On-Waves ehf
This commit is contained in:
Jacob Erlbeck 2015-01-12 13:23:05 +01:00 committed by Holger Hans Peter Freyther
parent 2a5d9500d0
commit e27bc6c958
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
openbsc/src/gprs/gprs_gsup_messages.c
View File

@ -174,7 +174,10 @@ int gprs_gsup_decode(const uint8_t *const_data, size_t data_len,
static const struct gsm_auth_tuple empty_auth_info = {0};
/* generic part */
gprs_shift_v_fixed(&data, &data_len, 1, &value);
rc = gprs_shift_v_fixed(&data, &data_len, 1, &value);
if (rc < 0)
return -GMM_CAUSE_INV_MAND_INFO;
gsup_msg->message_type = decode_big_endian(value, 1);
rc = gprs_match_tlv(&data, &data_len, GPRS_GSUP_IMSI_IE,