gsm_04_08: Fix nullpointer deref

The pointers conn, conn->vsub and conn->vsub->last_tuple are checked, but before the check those pointers are already dereferenced during assignment. This defeats the purpose of the check. Lets dereference those pointers after the check. Fixes: CID#190404 Change-Id: Ice4992606f3799eac13154ec0b9f53e46d2e178e
author: Philipp Maier <pmaier@sysmocom.de> 2019-01-08 12:29:49 +0100
committer: Harald Welte <laforge@gnumonks.org> 2019-01-12 10:26:00 +0000
commit: ec5901c8f23e5896949e61650a4190ec20b85665 (patch)
tree: 28ee6ce569a6c84d8b315297c917f0be88ff503c /src
parent: 9b9e76fe01501a7091ba53b0e33724d20ab1539e (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c
index 7a485c704..adc946eb9 100644
--- a/src/libmsc/gsm_04_08.c
+++ b/src/libmsc/gsm_04_08.c
@@ -1603,12 +1603,12 @@ osmo_static_assert(sizeof(((struct gsm0808_encrypt_info*)0)->key) >= sizeof(((st
 
 int ran_conn_geran_set_cipher_mode(struct ran_conn *conn, bool umts_aka, bool retrieve_imeisv)
 {
-	struct gsm_network *net = conn->network;
+	struct gsm_network *net;
 	struct gsm0808_encrypt_info ei;
 	int i, j = 0;
 	int request_classmark = 0;
 	int request_classmark_for_a5_n = 0;
-	struct vlr_auth_tuple *tuple = conn->vsub->last_tuple;
+	struct vlr_auth_tuple *tuple;
 
 	if (!conn || !conn->vsub || !conn->vsub->last_tuple) {
 		/* This should really never happen, because we checked this in msc_vlr_set_ciph_mode()
@@ -1617,6 +1617,9 @@ int ran_conn_geran_set_cipher_mode(struct ran_conn *conn, bool umts_aka, bool re
 		return -EINVAL;
 	}
 
+	net = conn->network;
+        tuple = conn->vsub->last_tuple;
+
 	for (i = 0; i < 8; i++) {
 		int supported;
author	Philipp Maier <pmaier@sysmocom.de>	2019-01-08 12:29:49 +0100
committer	Harald Welte <laforge@gnumonks.org>	2019-01-12 10:26:00 +0000
commit	ec5901c8f23e5896949e61650a4190ec20b85665 (patch)
tree	28ee6ce569a6c84d8b315297c917f0be88ff503c /src
parent	9b9e76fe01501a7091ba53b0e33724d20ab1539e (diff)