diff options
| author | Daniel Willmann <daniel@totalueberwachung.de> | 2012-12-25 23:15:50 +0100 |
|---|---|---|
| committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2012-12-26 10:48:01 +0100 |
| commit | e523392c2c091f53c18edf2086d6966eec38561f (patch) | |
| tree | c74facf8897c5513adfa95e710d8388cfe170bad /src | |
| parent | 0167596c2bf19102eac8a69f5066eedbae72a167 (diff) | |
lapd: Check in rslms_rx_rll() if lapdm context was initialized earlier
This was found while implementing handover on a sysmobts. When we
receive a channel release request for a channel that was never really
activated (set_lapdm_context() was not called) we segfault in
lapd_recv_dlsap().
We now return early with -EINVAL in rslms_rx_rll() if we receive a
message that assumes set_lapdm_context() was already called.
These are:
* RSL_MT_UNIT_DATA_REQ
* RSL_MT_DATA_REQ
* RSL_MT_SUSP_REQ
* RSL_MT_REL_REQ
A test case was added to trigger the issue.
Diffstat (limited to 'src')
| -rw-r--r-- | src/gsm/lapdm.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c index 1c08113e..2bda48ae 100644 --- a/src/gsm/lapdm.c +++ b/src/gsm/lapdm.c @@ -1069,8 +1069,24 @@ static int rslms_rx_rll(struct msgb *msg, struct lapdm_channel *lc) return -EINVAL; } - LOGP(DLLAPD, LOGL_INFO, "(%p) RLL Message '%s' received. (sapi %d)\n", - lc->name, rsl_msg_name(msg_type), sapi); + switch (msg_type) { + case RSL_MT_UNIT_DATA_REQ: + case RSL_MT_DATA_REQ: + case RSL_MT_SUSP_REQ: + case RSL_MT_REL_REQ: + /* This is triggered in abnormal error conditions where + * set_lapdm_context() was not called for the channel earlier. */ + if (!dl->dl.lctx.dl) { + LOGP(DLLAPD, LOGL_NOTICE, "(%p) RLL Message '%s' received without LAPDm context. (sapi %d)\n", + lc->name, rsl_msg_name(msg_type), sapi); + msgb_free(msg); + return -EINVAL; + } + break; + default: + LOGP(DLLAPD, LOGL_INFO, "(%p) RLL Message '%s' received. (sapi %d)\n", + lc->name, rsl_msg_name(msg_type), sapi); + } switch (msg_type) { case RSL_MT_UNIT_DATA_REQ: |