From 342f59d92e1503b4eba6d2db6861b1701b193055 Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Fri, 25 Dec 2015 20:12:28 +0100
Subject: gprs_gmm.c: Don't try to de-reference NULL mmctx

There was a comment in the code that certain GMM messages require a
valid mmctx pointer.  However, nothing actually checked if that pointer
was in fact non-NULL.  We plainly crashed if a MS would send us the
wrong message in the wrong state.
---
 openbsc/src/gprs/gprs_gmm.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c
index 4dcd4cdb3..d06b2c0d6 100644
--- a/openbsc/src/gprs/gprs_gmm.c
+++ b/openbsc/src/gprs/gprs_gmm.c
@@ -1345,7 +1345,17 @@ static int gsm0408_rcv_gmm(struct sgsn_mm_ctx *mmctx, struct msgb *msg,
 	case GSM48_MT_GMM_ATTACH_REQ:
 		rc = gsm48_rx_gmm_att_req(mmctx, msg, llme);
 		break;
+	default:
+		break;
+	}
+
 	/* For all the following types mmctx can not be NULL */
+	if (!mmctx) {
+		/* FIXME: return some error? */
+		return -1;
+	}
+
+	switch (gh->msg_type) {
 	case GSM48_MT_GMM_ID_RESP:
 		rc = gsm48_rx_gmm_id_resp(mmctx, msg);
 		break;
-- 
cgit v1.2.3