cellular-infrastructure
/
osmo-msc
mirror of https://gerrit.osmocom.org/osmo-msc
9
0
Fork 0
Code Issues Releases Wiki Activity

gsm_04_08: Fix nullpointer deref 

The pointers conn, conn->vsub and conn->vsub->last_tuple are checked,
but before the check those pointers are already dereferenced during
assignment. This defeats the purpose of the check. Lets dereference
those pointers after the check.

Fixes: CID#190404
Change-Id: Ice4992606f3799eac13154ec0b9f53e46d2e178e
This commit is contained in:
Philipp Maier 2019-01-08 12:29:49 +01:00 committed by Harald Welte
parent 9b9e76fe01
commit ec5901c8f2
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/libmsc/gsm_04_08.c
View File

@ -1603,12 +1603,12 @@ osmo_static_assert(sizeof(((struct gsm0808_encrypt_info*)0)->key) >= sizeof(((st
int ran_conn_geran_set_cipher_mode(struct ran_conn *conn, bool umts_aka, bool retrieve_imeisv)
{
struct gsm_network *net = conn->network;
struct gsm_network *net;
struct gsm0808_encrypt_info ei;
int i, j = 0;
int request_classmark = 0;
int request_classmark_for_a5_n = 0;
struct vlr_auth_tuple *tuple = conn->vsub->last_tuple;
struct vlr_auth_tuple *tuple;
if (!conn || !conn->vsub || !conn->vsub->last_tuple) {
/* This should really never happen, because we checked this in msc_vlr_set_ciph_mode()
@ -1617,6 +1617,9 @@ int ran_conn_geran_set_cipher_mode(struct ran_conn *conn, bool umts_aka, bool re
return -EINVAL;
}
net = conn->network;
tuple = conn->vsub->last_tuple;
for (i = 0; i < 8; i++) {
int supported;