diff options
author | Philipp Maier <pmaier@sysmocom.de> | 2019-01-08 12:29:49 +0100 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2019-01-12 10:26:00 +0000 |
commit | ec5901c8f23e5896949e61650a4190ec20b85665 (patch) | |
tree | 28ee6ce569a6c84d8b315297c917f0be88ff503c | |
parent | 9b9e76fe01501a7091ba53b0e33724d20ab1539e (diff) |
gsm_04_08: Fix nullpointer deref
The pointers conn, conn->vsub and conn->vsub->last_tuple are checked,
but before the check those pointers are already dereferenced during
assignment. This defeats the purpose of the check. Lets dereference
those pointers after the check.
Fixes: CID#190404
Change-Id: Ice4992606f3799eac13154ec0b9f53e46d2e178e
-rw-r--r-- | src/libmsc/gsm_04_08.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c index 7a485c704..adc946eb9 100644 --- a/src/libmsc/gsm_04_08.c +++ b/src/libmsc/gsm_04_08.c @@ -1603,12 +1603,12 @@ osmo_static_assert(sizeof(((struct gsm0808_encrypt_info*)0)->key) >= sizeof(((st int ran_conn_geran_set_cipher_mode(struct ran_conn *conn, bool umts_aka, bool retrieve_imeisv) { - struct gsm_network *net = conn->network; + struct gsm_network *net; struct gsm0808_encrypt_info ei; int i, j = 0; int request_classmark = 0; int request_classmark_for_a5_n = 0; - struct vlr_auth_tuple *tuple = conn->vsub->last_tuple; + struct vlr_auth_tuple *tuple; if (!conn || !conn->vsub || !conn->vsub->last_tuple) { /* This should really never happen, because we checked this in msc_vlr_set_ciph_mode() @@ -1617,6 +1617,9 @@ int ran_conn_geran_set_cipher_mode(struct ran_conn *conn, bool umts_aka, bool re return -EINVAL; } + net = conn->network; + tuple = conn->vsub->last_tuple; + for (i = 0; i < 8; i++) { int supported; |