aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeels Hofmeyr <neels@hofmeyr.de>2020-07-01 16:11:09 +0200
committerNeels Hofmeyr <neels@hofmeyr.de>2020-07-01 23:33:16 +0200
commit5b36d13ba54b0e78414f1352bac28466dfe74c27 (patch)
treeb608f17095a79336442b3c3a466f4e9c602f4d76
parentb697274daabed2bf7454cc05d3e3689e91665e36 (diff)
sgs_tx_loc_upd_resp_cb(): fix error handling for MI encoding
new_id_ptr should be passed as NULL if encoding the TMSI failed, so initialize it accordingly. Also add some bloat to better handle the case of an encoding error, even though from code analysis that should not be possible here: there is enough buffer, the MI is a TMSI encoded from a uint32_t... The problem was introduced by Idfc8e576e10756aeaacf5569f6178068313eb7ea, before which new_id_len was always 0 when no TMSI was present. Related: CID#210894 Change-Id: I800c5dca3fdbdedf70a64d9fd5a1bdfd1397f431
-rw-r--r--src/libmsc/sgs_iface.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/libmsc/sgs_iface.c b/src/libmsc/sgs_iface.c
index b792e466f..d13449d29 100644
--- a/src/libmsc/sgs_iface.c
+++ b/src/libmsc/sgs_iface.c
@@ -372,7 +372,7 @@ static void sgs_tx_loc_upd_resp_cb(struct sgs_lu_response *response)
struct vlr_subscr *vsub = response->vsub;
struct sgs_mme_ctx *mme;
uint8_t new_id[2 + GSM48_TMSI_LEN];
- uint8_t *new_id_ptr = new_id;
+ uint8_t *new_id_ptr = NULL;
int new_id_len = 0;
uint8_t resp_msg_type;
@@ -403,8 +403,14 @@ static void sgs_tx_loc_upd_resp_cb(struct sgs_lu_response *response)
.tmsi = vsub->tmsi_new,
};
new_id_len = osmo_mobile_identity_encode_buf(new_id, sizeof(new_id), &tmsi_mi, false);
- if (new_id_len > 0)
+ if (new_id_len > 0) {
new_id_ptr = new_id;
+ } else {
+ /* Failure to encode the TMSI is not actually possible here, this is just for paranoia
+ * and coverity scan. */
+ new_id_len = 0;
+ LOGPFSMSL(vsub->sgs_fsm, DMM, LOGL_ERROR, "Cannot encode TMSI Mobile Identity\n");
+ }
}
resp = gsm29118_create_lu_ack(vsub->imsi, &vsub->sgs.lai, new_id_ptr, new_id_len);
sgs_tx(mme->conn, resp);