hlr_ussd.c: rx_proc_ss_req(): fix NULL pointer dereference

The SS payload is mandatory for GSUP PROC_SS_{REQ,RSP} messages
with session state BEGIN or CONTINUE, and optional for the END.

Make sure that it's present for both BEGIN and CONTINUE, consider
received message as incorrect otherwise. In case of the END, call
handle_ussd() / handle_ss() only if SS payload is present.

Change-Id: Ia71cabbf396bd1388e764a1749e953ac1782e307
Fixes: CID#188841

1 files changed, 16 insertions, 6 deletions

diff --git a/src/hlr_ussd.c b/src/hlr_ussd.c
index 773c571..1568815 100644
--- a/src/hlr_ussd.c
+++ b/src/hlr_ussd.c
@@ -519,6 +519,11 @@ int rx_proc_ss_req(struct osmo_gsup_conn *conn, const struct osmo_gsup_message *
 			/* FIXME: Send a Reject component? */
 			goto out_err;
 		}
+	} else if (gsup->session_state != OSMO_GSUP_SESSION_STATE_END) {
+		LOGP(DSS, LOGL_ERROR, "%s/0x%082x: Missing SS payload for '%s'\n",
+		     gsup->imsi, gsup->session_id,
+		     osmo_gsup_session_state_name(gsup->session_state));
+		goto out_err;
 	}
 
 	switch (gsup->session_state) {
@@ -606,13 +611,18 @@ int rx_proc_ss_req(struct osmo_gsup_conn *conn, const struct osmo_gsup_message *
 				gsup->imsi, gsup->session_id);
 			goto out_err;
 		}
-		if (ss_op_is_ussd(req.opcode)) {
-			/* dispatch unstructured SS to routing */
-			handle_ussd(conn, ss, gsup, &req);
-		} else {
-			/* dispatch non-call SS to internal code */
-			handle_ss(ss, gsup, &req);
+
+		/* SS payload is optional for END */
+		if (gsup->ss_info && gsup->ss_info_len) {
+			if (ss_op_is_ussd(req.opcode)) {
+				/* dispatch unstructured SS to routing */
+				handle_ussd(conn, ss, gsup, &req);
+			} else {
+				/* dispatch non-call SS to internal code */
+				handle_ss(ss, gsup, &req);
+			}
 		}
+
 		ss_session_free(ss);
 		break;
 	default: