osmocom
/
libosmocore
mirror of https://gerrit.osmocom.org/libosmocore
11
0
Fork 0
Code Issues Releases Wiki Activity

bssgp_rx_paging(): Fix parsing of P-TMSI IE in Paging message 

This was actually discovered by the following compiler warning in
gcc-6.2.0:

  CC       gprs_bssgp_bss.lo
gprs_bssgp_bss.c: In function ‘bssgp_rx_paging’:
gprs_bssgp_bss.c:544:2: warning: this ‘if’ clause does not guard...
[-Wmisleading-indentation]
  if (TLVP_PRESENT(&tp, BSSGP_IE_TMSI) &&
  ^~
gprs_bssgp_bss.c:548:3: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’
   *(pinfo->ptmsi) = ntohl(*(uint32_t *)
   ^

This is an actual bug.  If we recevied a BSSGP Paging Request without
P-TMSI, we might crash or report some random memory as P-TMSI to the
caller in the output data structure.

Change-Id: Ib4f307827cd7cccc91c1415a6fb5428d7cf8416d
This commit is contained in:
Harald Welte 2016-11-11 15:10:33 +01:00
parent c4193d30e8
commit 6176b6e092
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/gb/gprs_bssgp_bss.c
View File

@ -542,11 +542,12 @@ int bssgp_rx_paging(struct bssgp_paging_info *pinfo,
/* Optional (P-)TMSI */
if (TLVP_PRESENT(&tp, BSSGP_IE_TMSI) &&
TLVP_LEN(&tp, BSSGP_IE_TMSI) >= 4)
TLVP_LEN(&tp, BSSGP_IE_TMSI) >= 4) {
if (!pinfo->ptmsi)
pinfo->ptmsi = talloc_zero_size(pinfo, sizeof(uint32_t));
*(pinfo->ptmsi) = ntohl(*(uint32_t *)
TLVP_VAL(&tp, BSSGP_IE_TMSI));
}
return 0;