diff options
author | Holger Hans Peter Freyther <zecke@selfish.org> | 2009-11-20 15:14:01 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-04-07 23:09:21 +0200 |
commit | 19bab73d7903d0718979aca1463503fcc185166b (patch) | |
tree | e7979235893ce67e8be0f551b3c143956ef1ce22 /openbsc/src | |
parent | 500ff97c21c14f6c76afe902c4ceebf8bc6497d2 (diff) |
[rsl] Speculative crash fix in the RSL rcv message
The theory is that the BTS is almost dead and sends out
a incomplete message and we crash with that. I have not
been able to completely verify that.
Diffstat (limited to 'openbsc/src')
-rw-r--r-- | openbsc/src/abis_rsl.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/openbsc/src/abis_rsl.c b/openbsc/src/abis_rsl.c index 0e572ccce..0e385c18c 100644 --- a/openbsc/src/abis_rsl.c +++ b/openbsc/src/abis_rsl.c @@ -1652,9 +1652,21 @@ static int abis_rsl_rx_ipacc(struct msgb *msg) /* Entry-point where L2 RSL from BTS enters */ int abis_rsl_rcvmsg(struct msgb *msg) { - struct abis_rsl_common_hdr *rslh = msgb_l2(msg) ; + struct abis_rsl_common_hdr *rslh; int rc = 0; + if (!msg) { + DEBUGP(DRSL, "Empty RSL msg?..\n"); + return -1; + } + + if (msgb_l2len(msg) < sizeof(*rslh)) { + DEBUGP(DRSL, "Truncated RSL message with l2len: %u\n", msgb_l2len(msg)); + return -1; + } + + rslh = msgb_l2(msg); + switch (rslh->msg_discr & 0xfe) { case ABIS_RSL_MDISC_RLL: rc = abis_rsl_rx_rll(msg); |