From ec5901c8f23e5896949e61650a4190ec20b85665 Mon Sep 17 00:00:00 2001 From: Philipp Maier Date: Tue, 8 Jan 2019 12:29:49 +0100 Subject: [PATCH] gsm_04_08: Fix nullpointer deref The pointers conn, conn->vsub and conn->vsub->last_tuple are checked, but before the check those pointers are already dereferenced during assignment. This defeats the purpose of the check. Lets dereference those pointers after the check. Fixes: CID#190404 Change-Id: Ice4992606f3799eac13154ec0b9f53e46d2e178e --- src/libmsc/gsm_04_08.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c index 7a485c704..adc946eb9 100644 --- a/src/libmsc/gsm_04_08.c +++ b/src/libmsc/gsm_04_08.c @@ -1603,12 +1603,12 @@ osmo_static_assert(sizeof(((struct gsm0808_encrypt_info*)0)->key) >= sizeof(((st int ran_conn_geran_set_cipher_mode(struct ran_conn *conn, bool umts_aka, bool retrieve_imeisv) { - struct gsm_network *net = conn->network; + struct gsm_network *net; struct gsm0808_encrypt_info ei; int i, j = 0; int request_classmark = 0; int request_classmark_for_a5_n = 0; - struct vlr_auth_tuple *tuple = conn->vsub->last_tuple; + struct vlr_auth_tuple *tuple; if (!conn || !conn->vsub || !conn->vsub->last_tuple) { /* This should really never happen, because we checked this in msc_vlr_set_ciph_mode() @@ -1617,6 +1617,9 @@ int ran_conn_geran_set_cipher_mode(struct ran_conn *conn, bool umts_aka, bool re return -EINVAL; } + net = conn->network; + tuple = conn->vsub->last_tuple; + for (i = 0; i < 8; i++) { int supported;