aboutsummaryrefslogtreecommitdiffstats
path: root/openbsc/src/gprs/gprs_gsup_messages.c
diff options
context:
space:
mode:
authorJacob Erlbeck <jerlbeck@sysmocom.de>2015-01-12 13:23:05 +0100
committerHolger Hans Peter Freyther <holger@moiji-mobile.com>2015-01-18 13:17:09 +0100
commit424ffa480630a4242d2a6f6b27b9e6b1ec08d206 (patch)
treeb7eaefc9675bb31cb3b4bb01101bdb7a77c2d09b /openbsc/src/gprs/gprs_gsup_messages.c
parent0572ee045d1b7c29a0c34b27867b3f8669eb5038 (diff)
gprs: Handle empty GSUP messages correctly
Currently, the gprs_gsup_decode function doesn't check the return value of gprs_shift_v_fixed before using the value pointer. The function fails, if the GSUP message length (not including IPA headers) is 0. In this case, a segfault can happen, depending on the value of the uninitialized 'value' pointer. The test case doesn't trigger a segfault, but valgrind complains about reading uninitialized data. This patch adds a check for the return value that would return with an error code if the shift function failed. Sponsored-by: On-Waves ehf
Diffstat (limited to 'openbsc/src/gprs/gprs_gsup_messages.c')
-rw-r--r--openbsc/src/gprs/gprs_gsup_messages.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/openbsc/src/gprs/gprs_gsup_messages.c b/openbsc/src/gprs/gprs_gsup_messages.c
index c3d187db6..02e14e794 100644
--- a/openbsc/src/gprs/gprs_gsup_messages.c
+++ b/openbsc/src/gprs/gprs_gsup_messages.c
@@ -174,7 +174,10 @@ int gprs_gsup_decode(const uint8_t *const_data, size_t data_len,
static const struct gsm_auth_tuple empty_auth_info = {0};
/* generic part */
- gprs_shift_v_fixed(&data, &data_len, 1, &value);
+ rc = gprs_shift_v_fixed(&data, &data_len, 1, &value);
+ if (rc < 0)
+ return -GMM_CAUSE_INV_MAND_INFO;
+
gsup_msg->message_type = decode_big_endian(value, 1);
rc = gprs_match_tlv(&data, &data_len, GPRS_GSUP_IMSI_IE,