diff options
| author | Harald Welte <laforge@gnumonks.org> | 2015-12-25 20:12:28 +0100 |
|---|---|---|
| committer | Daniel Willmann <dwillmann@sysmocom.de> | 2016-02-04 15:41:26 +0100 |
| commit | 546494b936e541579c01ebf158f5243672d134c2 (patch) | |
| tree | 6c416eea7af95d3a05667f9da409652afed6e642 | |
| parent | e6274e26b1d86afdd14ce70bb49e521669f3d38d (diff) | |
gprs_gmm.c: Don't try to de-reference NULL mmctx
There was a comment in the code that certain GMM messages require a
valid mmctx pointer. However, nothing actually checked if that pointer
was in fact non-NULL. We plainly crashed if a MS would send us the
wrong message in the wrong state.
| -rw-r--r-- | openbsc/src/gprs/gprs_gmm.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c index 2ea835294..befc0dce7 100644 --- a/openbsc/src/gprs/gprs_gmm.c +++ b/openbsc/src/gprs/gprs_gmm.c @@ -1313,7 +1313,17 @@ static int gsm0408_rcv_gmm(struct sgsn_mm_ctx *mmctx, struct msgb *msg, case GSM48_MT_GMM_ATTACH_REQ: rc = gsm48_rx_gmm_att_req(mmctx, msg, llme); break; + default: + break; + } + /* For all the following types mmctx can not be NULL */ + if (!mmctx) { + /* FIXME: return some error? */ + return -1; + } + + switch (gh->msg_type) { case GSM48_MT_GMM_ID_RESP: rc = gsm48_rx_gmm_id_resp(mmctx, msg); break; |