gprs_gmm.c: Don't try to de-reference NULL mmctx

There was a comment in the code that certain GMM messages require a valid mmctx pointer. However, nothing actually checked if that pointer was in fact non-NULL. We plainly crashed if a MS would send us the wrong message in the wrong state.
author: Harald Welte <laforge@gnumonks.org> 2015-12-25 20:12:28 +0100
committer: Neels Hofmeyr <nhofmeyr@sysmocom.de> 2016-03-03 16:19:07 +0100
commit: 342f59d92e1503b4eba6d2db6861b1701b193055 (patch)
tree: 821ac3912a96476b060f77b63235c52110f68666 /openbsc/src/gprs/gprs_gmm.c
parent: aefb0c45e921f738eee7ce1f7149e0114d8528c0 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c
index 4dcd4cdb3..d06b2c0d6 100644
--- a/openbsc/src/gprs/gprs_gmm.c
+++ b/openbsc/src/gprs/gprs_gmm.c
@@ -1345,7 +1345,17 @@ static int gsm0408_rcv_gmm(struct sgsn_mm_ctx *mmctx, struct msgb *msg,
 	case GSM48_MT_GMM_ATTACH_REQ:
 		rc = gsm48_rx_gmm_att_req(mmctx, msg, llme);
 		break;
+	default:
+		break;
+	}
+
 	/* For all the following types mmctx can not be NULL */
+	if (!mmctx) {
+		/* FIXME: return some error? */
+		return -1;
+	}
+
+	switch (gh->msg_type) {
 	case GSM48_MT_GMM_ID_RESP:
 		rc = gsm48_rx_gmm_id_resp(mmctx, msg);
 		break;
author	Harald Welte <laforge@gnumonks.org>	2015-12-25 20:12:28 +0100
committer	Neels Hofmeyr <nhofmeyr@sysmocom.de>	2016-03-03 16:19:07 +0100
commit	342f59d92e1503b4eba6d2db6861b1701b193055 (patch)
tree	821ac3912a96476b060f77b63235c52110f68666 /openbsc/src/gprs/gprs_gmm.c
parent	aefb0c45e921f738eee7ce1f7149e0114d8528c0 (diff)