sysmobts: Avoid a crash when trying to look-up a BTS

The nanoBTS code is trying to find a struct gsm_bts based on
the ipaccess_gsmnet and the ipaccess_unit data. The pointer is
not initialized in the case of a sysmoBTS leading to a classic
NULL pointer dereference.

Move the feature init into the _init method. This way we can
re-use the start code of the nanoBTS. This ensures that the
ipaccess_gsmnet pointer is properly initialized and that the
signal handlers are installed.

2 files changed, 13 insertions, 26 deletions

diff --git a/openbsc/src/libbsc/bts_ipaccess_nanobts.c b/openbsc/src/libbsc/bts_ipaccess_nanobts.c
index 5d96967cf..cebb7ae82 100644
--- a/openbsc/src/libbsc/bts_ipaccess_nanobts.c
+++ b/openbsc/src/libbsc/bts_ipaccess_nanobts.c
@@ -457,25 +457,24 @@ int bts_ipa_nm_sig_cb(unsigned int subsys, unsigned int signal,
 	return 0;
 }
 
-static struct gsm_network *ipaccess_gsmnet;
+struct gsm_network *ipaccess_gsmnet;
 
 static int bts_model_nanobts_start(struct gsm_network *net)
 {
-	bts_model_nanobts.features.data = &bts_model_nanobts._features_data[0];
-	bts_model_nanobts.features.data_len =
-				sizeof(bts_model_nanobts._features_data);
-
-	gsm_btsmodel_set_feature(&bts_model_nanobts, BTS_FEAT_GPRS);
-	gsm_btsmodel_set_feature(&bts_model_nanobts, BTS_FEAT_EGPRS);
-
 	osmo_signal_register_handler(SS_NM, bts_ipa_nm_sig_cb, NULL);
-
 	ipaccess_gsmnet = net;
 	return 0;
 }
 
 int bts_model_nanobts_init(void)
 {
+	bts_model_nanobts.features.data = &bts_model_nanobts._features_data[0];
+	bts_model_nanobts.features.data_len =
+				sizeof(bts_model_nanobts._features_data);
+
+	gsm_btsmodel_set_feature(&bts_model_nanobts, BTS_FEAT_GPRS);
+	gsm_btsmodel_set_feature(&bts_model_nanobts, BTS_FEAT_EGPRS);
+
 	return gsm_bts_model_register(&bts_model_nanobts);
 }
 
diff --git a/openbsc/src/libbsc/bts_sysmobts.c b/openbsc/src/libbsc/bts_sysmobts.c
index 9479206d2..754e277e5 100644
--- a/openbsc/src/libbsc/bts_sysmobts.c
+++ b/openbsc/src/libbsc/bts_sysmobts.c
@@ -38,15 +38,16 @@
 #include <osmocom/abis/ipaccess.h>
 #include <osmocom/core/logging.h>
 
-extern int bts_ipa_nm_sig_cb(unsigned int subsys, unsigned int signal,
-			     void *handler_data, void *signal_data);
-
 extern struct gsm_bts_model bts_model_nanobts;
 
 static struct gsm_bts_model model_sysmobts;
 
-static int bts_model_sysmobts_start(struct gsm_network *net)
+int bts_model_sysmobts_init(void)
 {
+	model_sysmobts = bts_model_nanobts;
+	model_sysmobts.name = "sysmobts";
+	model_sysmobts.type = GSM_BTS_TYPE_OSMO_SYSMO;
+
 	model_sysmobts.features.data = &model_sysmobts._features_data[0];
 	model_sysmobts.features.data_len =
 				sizeof(model_sysmobts._features_data);
@@ -54,18 +55,5 @@ static int bts_model_sysmobts_start(struct gsm_network *net)
 	gsm_btsmodel_set_feature(&model_sysmobts, BTS_FEAT_GPRS);
 	gsm_btsmodel_set_feature(&model_sysmobts, BTS_FEAT_EGPRS);
 
-	osmo_signal_register_handler(SS_NM, bts_ipa_nm_sig_cb, NULL);
-
-	return 0;
-}
-
-int bts_model_sysmobts_init(void)
-{
-	memcpy(&model_sysmobts, &bts_model_nanobts, sizeof(model_sysmobts));
-
-	model_sysmobts.name = "sysmobts";
-	model_sysmobts.start = bts_model_sysmobts_start;
-	model_sysmobts.type = GSM_BTS_TYPE_OSMO_SYSMO;
-
 	return gsm_bts_model_register(&model_sysmobts);
 }