diff options
author | Harald Welte <laforge@osmocom.org> | 2020-12-12 15:58:28 +0100 |
---|---|---|
committer | Harald Welte <laforge@osmocom.org> | 2020-12-12 16:16:57 +0100 |
commit | 1aa0ae9db162c02c5202fafd880afee9fe6ad1a2 (patch) | |
tree | 21bee17b867ca72251a127a593da77a050903357 | |
parent | cab858824233597a15debe4c78bd867e58aa6335 (diff) |
gbproxy: Fix segfault when receiving PAGING for unknown destination
The 'nse' variable had been used both as the input argument of the
SGSN-side NSE, as well as a loop iteration variable. Let's separate
this clearly.
Closes: OS#4904
Change-Id: I375a219cd72eb11a9a0cb7d55a3efb7b83b771ac
-rw-r--r-- | src/gbproxy/gb_proxy.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/gbproxy/gb_proxy.c b/src/gbproxy/gb_proxy.c index 5e6f23897..a976d252f 100644 --- a/src/gbproxy/gb_proxy.c +++ b/src/gbproxy/gb_proxy.c @@ -828,11 +828,12 @@ err_no_bvc: } /* Receive paging request from SGSN, we need to relay to proper BSS */ -static int gbprox_rx_paging(struct gbproxy_nse *nse, struct msgb *msg, const char *pdut_name, +static int gbprox_rx_paging(struct gbproxy_nse *sgsn_nse, struct msgb *msg, const char *pdut_name, struct tlv_parsed *tp, uint16_t ns_bvci) { - struct gbproxy_config *cfg = nse->cfg; + struct gbproxy_config *cfg = sgsn_nse->cfg; struct gbproxy_bvc *sgsn_bvc, *bss_bvc; + struct gbproxy_nse *nse; unsigned int n_nses = 0; int errctr = GBPROX_GLOB_CTR_PROTO_ERR_SGSN; int i, j; @@ -842,9 +843,9 @@ static int gbprox_rx_paging(struct gbproxy_nse *nse, struct msgb *msg, const cha if (TLVP_PRES_LEN(tp, BSSGP_IE_BVCI, 2)) { uint16_t bvci = ntohs(tlvp_val16_unal(tp, BSSGP_IE_BVCI)); errctr = GBPROX_GLOB_CTR_OTHER_ERR; - sgsn_bvc = gbproxy_bvc_by_bvci(nse, bvci); + sgsn_bvc = gbproxy_bvc_by_bvci(sgsn_nse, bvci); if (!sgsn_bvc) { - LOGPNSE(nse, LOGL_NOTICE, "Rx %s: unable to route: BVCI=%05u unknown\n", + LOGPNSE(sgsn_nse, LOGL_NOTICE, "Rx %s: unable to route: BVCI=%05u unknown\n", pdut_name, bvci); rate_ctr_inc(&cfg->ctrg->ctr[errctr]); return -EINVAL; @@ -893,12 +894,12 @@ static int gbprox_rx_paging(struct gbproxy_nse *nse, struct msgb *msg, const cha } } } else { - LOGPNSE(nse, LOGL_ERROR, "BSSGP PAGING: unable to route, missing IE\n"); + LOGPNSE(sgsn_nse, LOGL_ERROR, "BSSGP PAGING: unable to route, missing IE\n"); rate_ctr_inc(&cfg->ctrg->ctr[errctr]); } if (n_nses == 0) { - LOGPNSE(nse, LOGL_ERROR, "BSSGP PAGING: unable to route, no destination found\n"); + LOGPNSE(sgsn_nse, LOGL_ERROR, "BSSGP PAGING: unable to route, no destination found\n"); rate_ctr_inc(&cfg->ctrg->ctr[errctr]); return -EINVAL; } |