From e27bc6c958e7a63a1b8222dc08ccc558a7b6c0bf Mon Sep 17 00:00:00 2001 From: Jacob Erlbeck Date: Mon, 12 Jan 2015 13:23:05 +0100 Subject: [PATCH] gprs: Handle empty GSUP messages correctly Currently, the gprs_gsup_decode function doesn't check the return value of gprs_shift_v_fixed before using the value pointer. The function fails, if the GSUP message length (not including IPA headers) is 0. In this case, a segfault can happen, depending on the value of the uninitialized 'value' pointer. The test case doesn't trigger a segfault, but valgrind complains about reading uninitialized data. This patch adds a check for the return value that would return with an error code if the shift function failed. Sponsored-by: On-Waves ehf --- openbsc/src/gprs/gprs_gsup_messages.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/openbsc/src/gprs/gprs_gsup_messages.c b/openbsc/src/gprs/gprs_gsup_messages.c index c3d187db..02e14e79 100644 --- a/openbsc/src/gprs/gprs_gsup_messages.c +++ b/openbsc/src/gprs/gprs_gsup_messages.c @@ -174,7 +174,10 @@ int gprs_gsup_decode(const uint8_t *const_data, size_t data_len, static const struct gsm_auth_tuple empty_auth_info = {0}; /* generic part */ - gprs_shift_v_fixed(&data, &data_len, 1, &value); + rc = gprs_shift_v_fixed(&data, &data_len, 1, &value); + if (rc < 0) + return -GMM_CAUSE_INV_MAND_INFO; + gsup_msg->message_type = decode_big_endian(value, 1); rc = gprs_match_tlv(&data, &data_len, GPRS_GSUP_IMSI_IE,