diff options
| author | Harald Welte <laforge@gnumonks.org> | 2018-01-24 22:38:06 +0100 |
|---|---|---|
| committer | Harald Welte <laforge@gnumonks.org> | 2018-01-24 23:12:15 +0100 |
| commit | 284c39af2a365e9a1c30815869543a193b95e0b1 (patch) | |
| tree | 7151a46e7482bf2569680f2a8dae2d43db001f92 /src/libmsc/osmo_msc.c | |
| parent | 49f8fcbd94a24f3d0ae28ecd81baf2a4ddaee9a8 (diff) | |
msc_cipher_mode_compl: Handle CIPH MOD COMPL without L3 message
According to TS 44.008 Section 3.2.1.31, the "Layer 3 Message Contents"
IE of the BSSMAP Cipher Mode Complete is optional. The BSC may hence
inlcude that IE or not include it.
Without this patch, OsmoMSC is crashing if that IE was missing:
<000a> a_iface_bssap.c:699 Rx BSC DT: 00 03 55 2c 02
<000a> a_iface_bssap.c:629 Rx MSC DT1 BSSMAP CIPHER MODE COMPLETE
<001f> a_iface_bssap.c:91 Found A subscriber for conn_id 1
<000a> a_iface_bssap.c:415 BSC sends cipher mode complete (conn_id=1)
==5611== Invalid read of size 8
==5611== at 0x128D0F: msc_cipher_mode_compl (osmo_msc.c:159)
==5611== by 0x114F62: bssmap_rx_ciph_compl.isra.8 (a_iface_bssap.c:432)
==5611== by 0x113267: sccp_sap_up (a_iface.c:520)
Change-Id: I722f9b468b157b3736918f090daaa9489a6028ee
Closes: OS#2871
Diffstat (limited to 'src/libmsc/osmo_msc.c')
| -rw-r--r-- | src/libmsc/osmo_msc.c | 52 |
1 files changed, 26 insertions, 26 deletions
diff --git a/src/libmsc/osmo_msc.c b/src/libmsc/osmo_msc.c index 2a868a880..755f8aa91 100644 --- a/src/libmsc/osmo_msc.c +++ b/src/libmsc/osmo_msc.c @@ -156,43 +156,43 @@ void msc_classmark_chg(struct gsm_subscriber_connection *conn, void msc_cipher_mode_compl(struct gsm_subscriber_connection *conn, struct msgb *msg, uint8_t alg_id) { - struct gsm48_hdr *gh = msgb_l3(msg); - unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh); - struct tlv_parsed tp; - uint8_t mi_type; - char imeisv[GSM48_MI_SIZE] = ""; struct vlr_ciph_result ciph_res = { .cause = VLR_CIPH_REJECT }; - if (!gh) { - LOGP(DRR, LOGL_ERROR, "invalid: msgb without l3 header\n"); - return; - } - if (!conn) { - LOGP(DRR, LOGL_ERROR, - "invalid: rx Ciphering Mode Complete on NULL conn\n"); + LOGP(DRR, LOGL_ERROR, "invalid: rx Ciphering Mode Complete on NULL conn\n"); return; } if (!conn->vsub) { - LOGP(DRR, LOGL_ERROR, - "invalid: rx Ciphering Mode Complete for NULL subscr\n"); + LOGP(DRR, LOGL_ERROR, "invalid: rx Ciphering Mode Complete for NULL subscr\n"); return; } - DEBUGP(DRR, "%s: CIPHERING MODE COMPLETE\n", - vlr_subscr_name(conn->vsub)); + DEBUGP(DRR, "%s: CIPHERING MODE COMPLETE\n", vlr_subscr_name(conn->vsub)); - tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0); + if (msg) { + struct gsm48_hdr *gh = msgb_l3(msg); + unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh); + struct tlv_parsed tp; + uint8_t mi_type; + char imeisv[GSM48_MI_SIZE] = ""; + + if (!gh) { + LOGP(DRR, LOGL_ERROR, "invalid: msgb without l3 header\n"); + return; + } - /* bearer capability */ - if (TLVP_PRESENT(&tp, GSM48_IE_MOBILE_ID)) { - mi_type = TLVP_VAL(&tp, GSM48_IE_MOBILE_ID)[0] & GSM_MI_TYPE_MASK; - if (mi_type == GSM_MI_TYPE_IMEISV - && TLVP_LEN(&tp, GSM48_IE_MOBILE_ID) > 0) { - gsm48_mi_to_string(imeisv, sizeof(imeisv), - TLVP_VAL(&tp, GSM48_IE_MOBILE_ID), - TLVP_LEN(&tp, GSM48_IE_MOBILE_ID)); - ciph_res.imeisv = imeisv; + tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0); + + /* bearer capability */ + if (TLVP_PRESENT(&tp, GSM48_IE_MOBILE_ID)) { + mi_type = TLVP_VAL(&tp, GSM48_IE_MOBILE_ID)[0] & GSM_MI_TYPE_MASK; + if (mi_type == GSM_MI_TYPE_IMEISV + && TLVP_LEN(&tp, GSM48_IE_MOBILE_ID) > 0) { + gsm48_mi_to_string(imeisv, sizeof(imeisv), + TLVP_VAL(&tp, GSM48_IE_MOBILE_ID), + TLVP_LEN(&tp, GSM48_IE_MOBILE_ID)); + ciph_res.imeisv = imeisv; + } } } |