diff options
author | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-11-04 17:14:41 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-11-04 17:14:41 +0100 |
commit | 1406977e7eb2f5753c8ca24c451e88b0e403bd77 (patch) | |
tree | 66fcdacc40577e8488895b1365219bf86f26fd0b /openbsc | |
parent | f3d1ae70722560d8dc01a73f5c2633b2a8d181bf (diff) |
nat: Verify that the endpoint from the assignment command exists
Make sure that the MSC endpoint exists on the NAT, otherwise
we end up trying to free this endpoint when the SCCP connection
is taken down and will corrupt our memory. This issue started
to pop up as we have reduced the number of endpoints to 60
to allow transcoding on them.
Diffstat (limited to 'openbsc')
-rw-r--r-- | openbsc/src/nat/bsc_mgcp_utils.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/openbsc/src/nat/bsc_mgcp_utils.c b/openbsc/src/nat/bsc_mgcp_utils.c index 750975fdb..cb6360bfa 100644 --- a/openbsc/src/nat/bsc_mgcp_utils.c +++ b/openbsc/src/nat/bsc_mgcp_utils.c @@ -75,7 +75,7 @@ int bsc_mgcp_assign_patch(struct sccp_connections *con, struct msgb *msg) uint16_t cic; uint8_t timeslot; uint8_t multiplex; - int endp; + unsigned int endp; if (!msg->l3h) { LOGP(DNAT, LOGL_ERROR, "Assignment message should have l3h pointer.\n"); @@ -100,6 +100,13 @@ int bsc_mgcp_assign_patch(struct sccp_connections *con, struct msgb *msg) endp = mgcp_timeslot_to_endpoint(multiplex, timeslot); + if (endp >= con->bsc->nat->mgcp_cfg->number_endpoints) { + LOGP(DNAT, LOGL_ERROR, + "MSC attempted to assign bad endpoint 0x%x\n", + endp); + return -1; + } + /* find stale connections using that endpoint */ llist_for_each_entry(mcon, &con->bsc->nat->sccp_connections, list_entry) { if (mcon->msc_endp == endp) { |