summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2015-12-25 20:12:28 +0100
committerDaniel Willmann <dwillmann@sysmocom.de>2016-02-04 15:41:26 +0100
commit546494b936e541579c01ebf158f5243672d134c2 (patch)
tree6c416eea7af95d3a05667f9da409652afed6e642
parente6274e26b1d86afdd14ce70bb49e521669f3d38d (diff)
gprs_gmm.c: Don't try to de-reference NULL mmctx
There was a comment in the code that certain GMM messages require a valid mmctx pointer. However, nothing actually checked if that pointer was in fact non-NULL. We plainly crashed if a MS would send us the wrong message in the wrong state.
-rw-r--r--openbsc/src/gprs/gprs_gmm.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c
index 2ea835294..befc0dce7 100644
--- a/openbsc/src/gprs/gprs_gmm.c
+++ b/openbsc/src/gprs/gprs_gmm.c
@@ -1313,7 +1313,17 @@ static int gsm0408_rcv_gmm(struct sgsn_mm_ctx *mmctx, struct msgb *msg,
case GSM48_MT_GMM_ATTACH_REQ:
rc = gsm48_rx_gmm_att_req(mmctx, msg, llme);
break;
+ default:
+ break;
+ }
+
/* For all the following types mmctx can not be NULL */
+ if (!mmctx) {
+ /* FIXME: return some error? */
+ return -1;
+ }
+
+ switch (gh->msg_type) {
case GSM48_MT_GMM_ID_RESP:
rc = gsm48_rx_gmm_id_resp(mmctx, msg);
break;