diff options
author | Jacob Erlbeck <jerlbeck@sysmocom.de> | 2015-01-12 13:23:05 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2015-01-18 13:17:09 +0100 |
commit | 424ffa480630a4242d2a6f6b27b9e6b1ec08d206 (patch) | |
tree | b7eaefc9675bb31cb3b4bb01101bdb7a77c2d09b /openbsc | |
parent | 0572ee045d1b7c29a0c34b27867b3f8669eb5038 (diff) |
gprs: Handle empty GSUP messages correctly
Currently, the gprs_gsup_decode function doesn't check the return
value of gprs_shift_v_fixed before using the value pointer. The
function fails, if the GSUP message length (not including IPA
headers) is 0. In this case, a segfault can happen, depending on the
value of the uninitialized 'value' pointer. The test case doesn't
trigger a segfault, but valgrind complains about reading
uninitialized data.
This patch adds a check for the return value that would return with
an error code if the shift function failed.
Sponsored-by: On-Waves ehf
Diffstat (limited to 'openbsc')
-rw-r--r-- | openbsc/src/gprs/gprs_gsup_messages.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/openbsc/src/gprs/gprs_gsup_messages.c b/openbsc/src/gprs/gprs_gsup_messages.c index c3d187db6..02e14e794 100644 --- a/openbsc/src/gprs/gprs_gsup_messages.c +++ b/openbsc/src/gprs/gprs_gsup_messages.c @@ -174,7 +174,10 @@ int gprs_gsup_decode(const uint8_t *const_data, size_t data_len, static const struct gsm_auth_tuple empty_auth_info = {0}; /* generic part */ - gprs_shift_v_fixed(&data, &data_len, 1, &value); + rc = gprs_shift_v_fixed(&data, &data_len, 1, &value); + if (rc < 0) + return -GMM_CAUSE_INV_MAND_INFO; + gsup_msg->message_type = decode_big_endian(value, 1); rc = gprs_match_tlv(&data, &data_len, GPRS_GSUP_IMSI_IE, |