gprs: Handle empty GSUP messages correctly
Currently, the gprs_gsup_decode function doesn't check the return value of gprs_shift_v_fixed before using the value pointer. The function fails, if the GSUP message length (not including IPA headers) is 0. In this case, a segfault can happen, depending on the value of the uninitialized 'value' pointer. The test case doesn't trigger a segfault, but valgrind complains about reading uninitialized data. This patch adds a check for the return value that would return with an error code if the shift function failed. Sponsored-by: On-Waves ehf
This commit is contained in:
parent
2a5d9500d0
commit
e27bc6c958
|
@ -174,7 +174,10 @@ int gprs_gsup_decode(const uint8_t *const_data, size_t data_len,
|
|||
static const struct gsm_auth_tuple empty_auth_info = {0};
|
||||
|
||||
/* generic part */
|
||||
gprs_shift_v_fixed(&data, &data_len, 1, &value);
|
||||
rc = gprs_shift_v_fixed(&data, &data_len, 1, &value);
|
||||
if (rc < 0)
|
||||
return -GMM_CAUSE_INV_MAND_INFO;
|
||||
|
||||
gsup_msg->message_type = decode_big_endian(value, 1);
|
||||
|
||||
rc = gprs_match_tlv(&data, &data_len, GPRS_GSUP_IMSI_IE,
|
||||
|
|
Loading…
Reference in New Issue