From 5b36d13ba54b0e78414f1352bac28466dfe74c27 Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Wed, 1 Jul 2020 16:11:09 +0200 Subject: sgs_tx_loc_upd_resp_cb(): fix error handling for MI encoding new_id_ptr should be passed as NULL if encoding the TMSI failed, so initialize it accordingly. Also add some bloat to better handle the case of an encoding error, even though from code analysis that should not be possible here: there is enough buffer, the MI is a TMSI encoded from a uint32_t... The problem was introduced by Idfc8e576e10756aeaacf5569f6178068313eb7ea, before which new_id_len was always 0 when no TMSI was present. Related: CID#210894 Change-Id: I800c5dca3fdbdedf70a64d9fd5a1bdfd1397f431 --- src/libmsc/sgs_iface.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/libmsc/sgs_iface.c b/src/libmsc/sgs_iface.c index b792e466f..d13449d29 100644 --- a/src/libmsc/sgs_iface.c +++ b/src/libmsc/sgs_iface.c @@ -372,7 +372,7 @@ static void sgs_tx_loc_upd_resp_cb(struct sgs_lu_response *response) struct vlr_subscr *vsub = response->vsub; struct sgs_mme_ctx *mme; uint8_t new_id[2 + GSM48_TMSI_LEN]; - uint8_t *new_id_ptr = new_id; + uint8_t *new_id_ptr = NULL; int new_id_len = 0; uint8_t resp_msg_type; @@ -403,8 +403,14 @@ static void sgs_tx_loc_upd_resp_cb(struct sgs_lu_response *response) .tmsi = vsub->tmsi_new, }; new_id_len = osmo_mobile_identity_encode_buf(new_id, sizeof(new_id), &tmsi_mi, false); - if (new_id_len > 0) + if (new_id_len > 0) { new_id_ptr = new_id; + } else { + /* Failure to encode the TMSI is not actually possible here, this is just for paranoia + * and coverity scan. */ + new_id_len = 0; + LOGPFSMSL(vsub->sgs_fsm, DMM, LOGL_ERROR, "Cannot encode TMSI Mobile Identity\n"); + } } resp = gsm29118_create_lu_ack(vsub->imsi, &vsub->sgs.lai, new_id_ptr, new_id_len); sgs_tx(mme->conn, resp); -- cgit v1.2.3