aboutsummaryrefslogtreecommitdiffstats
path: root/openbsc
diff options
context:
space:
mode:
authorHolger Hans Peter Freyther <zecke@selfish.org>2009-11-20 15:14:01 +0100
committerHolger Hans Peter Freyther <zecke@selfish.org>2010-04-07 23:09:21 +0200
commit19bab73d7903d0718979aca1463503fcc185166b (patch)
treee7979235893ce67e8be0f551b3c143956ef1ce22 /openbsc
parent500ff97c21c14f6c76afe902c4ceebf8bc6497d2 (diff)
[rsl] Speculative crash fix in the RSL rcv message
The theory is that the BTS is almost dead and sends out a incomplete message and we crash with that. I have not been able to completely verify that.
Diffstat (limited to 'openbsc')
-rw-r--r--openbsc/src/abis_rsl.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/openbsc/src/abis_rsl.c b/openbsc/src/abis_rsl.c
index 0e572ccc..0e385c18 100644
--- a/openbsc/src/abis_rsl.c
+++ b/openbsc/src/abis_rsl.c
@@ -1652,9 +1652,21 @@ static int abis_rsl_rx_ipacc(struct msgb *msg)
/* Entry-point where L2 RSL from BTS enters */
int abis_rsl_rcvmsg(struct msgb *msg)
{
- struct abis_rsl_common_hdr *rslh = msgb_l2(msg) ;
+ struct abis_rsl_common_hdr *rslh;
int rc = 0;
+ if (!msg) {
+ DEBUGP(DRSL, "Empty RSL msg?..\n");
+ return -1;
+ }
+
+ if (msgb_l2len(msg) < sizeof(*rslh)) {
+ DEBUGP(DRSL, "Truncated RSL message with l2len: %u\n", msgb_l2len(msg));
+ return -1;
+ }
+
+ rslh = msgb_l2(msg);
+
switch (rslh->msg_discr & 0xfe) {
case ABIS_RSL_MDISC_RLL:
rc = abis_rsl_rx_rll(msg);