nat: Verify that the endpoint from the assignment command exists

Make sure that the MSC endpoint exists on the NAT, otherwise we end up trying to free this endpoint when the SCCP connection is taken down and will corrupt our memory. This issue started to pop up as we have reduced the number of endpoints to 60 to allow transcoding on them.
author: Holger Hans Peter Freyther <zecke@selfish.org> 2010-11-04 17:14:41 +0100
committer: Holger Hans Peter Freyther <zecke@selfish.org> 2010-11-04 17:14:41 +0100
commit: 1406977e7eb2f5753c8ca24c451e88b0e403bd77 (patch)
tree: 66fcdacc40577e8488895b1365219bf86f26fd0b /openbsc/src/nat
parent: f3d1ae70722560d8dc01a73f5c2633b2a8d181bf (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/openbsc/src/nat/bsc_mgcp_utils.c b/openbsc/src/nat/bsc_mgcp_utils.c
index 750975fdb..cb6360bfa 100644
--- a/openbsc/src/nat/bsc_mgcp_utils.c
+++ b/openbsc/src/nat/bsc_mgcp_utils.c
@@ -75,7 +75,7 @@ int bsc_mgcp_assign_patch(struct sccp_connections *con, struct msgb *msg)
 	uint16_t cic;
 	uint8_t timeslot;
 	uint8_t multiplex;
-	int endp;
+	unsigned int endp;
 
 	if (!msg->l3h) {
 		LOGP(DNAT, LOGL_ERROR, "Assignment message should have l3h pointer.\n");
@@ -100,6 +100,13 @@ int bsc_mgcp_assign_patch(struct sccp_connections *con, struct msgb *msg)
 
 	endp = mgcp_timeslot_to_endpoint(multiplex, timeslot);
 
+	if (endp >= con->bsc->nat->mgcp_cfg->number_endpoints) {
+		LOGP(DNAT, LOGL_ERROR,
+			"MSC attempted to assign bad endpoint 0x%x\n",
+			endp);
+		return -1;
+	}
+
 	/* find stale connections using that endpoint */
 	llist_for_each_entry(mcon, &con->bsc->nat->sccp_connections, list_entry) {
 		if (mcon->msc_endp == endp) {
author	Holger Hans Peter Freyther <zecke@selfish.org>	2010-11-04 17:14:41 +0100
committer	Holger Hans Peter Freyther <zecke@selfish.org>	2010-11-04 17:14:41 +0100
commit	1406977e7eb2f5753c8ca24c451e88b0e403bd77 (patch)
tree	66fcdacc40577e8488895b1365219bf86f26fd0b /openbsc/src/nat
parent	f3d1ae70722560d8dc01a73f5c2633b2a8d181bf (diff)