lchan_fsm: Fix possible NULL ptr dereference in _lchan_on_mode_modify_failure()

_lchan_on_activation_failure(), which calls lchan_on_mode_modify_failure(),
already checks for !for_conn in other paths. Hence, it can be that
for_conn being passed to _lchan_on_mode_modify_failure() may be null.

"""
 Stack trace of thread 7077:
 #0  0x000055d25a463842 _lchan_on_mode_modify_failure (osmo-bsc)
 #1  0x000055d25a46b57c _lchan_on_activation_failure (osmo-bsc)
 #2  0x00007fe8b2083be4 state_chg (libosmocore.so.17)
 #3  0x00007fe8b208409d _osmo_fsm_inst_state_chg (libosmocore.so.17)
 #4  0x000055d25a46825a lchan_fsm_wait_rll_rtp_establish (osmo-bsc)
 #5  0x00007fe8b2084239 _osmo_fsm_inst_dispatch (libosmocore.so.17)
 #6  0x00007fe8b2083be4 state_chg (libosmocore.so.17)
 #7  0x00007fe8b208409d _osmo_fsm_inst_state_chg (libosmocore.so.17)
 #8  0x000055d25a46dbdc lchan_rtp_fsm_wait_ipacc_mdcx_ack (osmo-bsc)
 #9  0x00007fe8b2084239 _osmo_fsm_inst_dispatch (libosmocore.so.17)
 #10 0x000055d25a411d69 abis_rsl_rx_ipacc_mdcx_ack (osmo-bsc)
"""

Related: SYS#5698
Change-Id: If8b2895feef6e30f9c1db97394dd16d892b277f2

1 files changed, 5 insertions, 0 deletions

diff --git a/src/osmo-bsc/lchan_fsm.c b/src/osmo-bsc/lchan_fsm.c
index 64840f07d..d5d6e7721 100644
--- a/src/osmo-bsc/lchan_fsm.c
+++ b/src/osmo-bsc/lchan_fsm.c
@@ -97,6 +97,11 @@ static void _lchan_on_mode_modify_failure(struct gsm_lchan *lchan, enum lchan_mo
 	case MODIFY_FOR_ASSIGNMENT:
 		LOG_LCHAN(lchan, LOGL_NOTICE, "Signalling Assignment FSM of error (%s)\n",
 			  lchan->last_error ? : "unknown error");
+		if (!for_conn) {
+			LOG_LCHAN(lchan, LOGL_ERROR, "lchan Channel Mode Modify failed, "
+				  "but modify request has no conn\n");
+			break;
+		}
 		_osmo_fsm_inst_dispatch(for_conn->assignment.fi, ASSIGNMENT_EV_LCHAN_ERROR, lchan,
 					file, line);
 		return;