bssgp_rx_paging(): Fix parsing of P-TMSI IE in Paging message

This was actually discovered by the following compiler warning in gcc-6.2.0: CC gprs_bssgp_bss.lo gprs_bssgp_bss.c: In function ‘bssgp_rx_paging’: gprs_bssgp_bss.c:544:2: warning: this ‘if’ clause does not guard... [-Wmisleading-indentation] if (TLVP_PRESENT(&tp, BSSGP_IE_TMSI) && ^~ gprs_bssgp_bss.c:548:3: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’ *(pinfo->ptmsi) = ntohl(*(uint32_t *) ^ This is an actual bug. If we recevied a BSSGP Paging Request without P-TMSI, we might crash or report some random memory as P-TMSI to the caller in the output data structure. Change-Id: Ib4f307827cd7cccc91c1415a6fb5428d7cf8416d
author: Harald Welte <laforge@gnumonks.org> 2016-11-11 15:10:33 +0100
committer: Harald Welte <laforge@gnumonks.org> 2016-11-11 14:49:31 +0000
commit: 6176b6e0924f2bd7d212472bcba9dddf8ac32f51 (patch)
tree: e91f5aaf6a4bbdddc018da16ad3e495bbe6082c0 /src
parent: c4193d30e82307b87a7a7bce3ea5ed48f2f2f716 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/gb/gprs_bssgp_bss.c b/src/gb/gprs_bssgp_bss.c
index 61ed0c43..73c13509 100644
--- a/src/gb/gprs_bssgp_bss.c
+++ b/src/gb/gprs_bssgp_bss.c
@@ -542,11 +542,12 @@ int bssgp_rx_paging(struct bssgp_paging_info *pinfo,
 
 	/* Optional (P-)TMSI */
 	if (TLVP_PRESENT(&tp, BSSGP_IE_TMSI) &&
-	    TLVP_LEN(&tp, BSSGP_IE_TMSI) >= 4)
+	    TLVP_LEN(&tp, BSSGP_IE_TMSI) >= 4) {
 		if (!pinfo->ptmsi)
 			pinfo->ptmsi = talloc_zero_size(pinfo, sizeof(uint32_t));
 		*(pinfo->ptmsi) = ntohl(*(uint32_t *)
 					TLVP_VAL(&tp, BSSGP_IE_TMSI));
+	}
 
 	return 0;
author	Harald Welte <laforge@gnumonks.org>	2016-11-11 15:10:33 +0100
committer	Harald Welte <laforge@gnumonks.org>	2016-11-11 14:49:31 +0000
commit	6176b6e0924f2bd7d212472bcba9dddf8ac32f51 (patch)
tree	e91f5aaf6a4bbdddc018da16ad3e495bbe6082c0 /src
parent	c4193d30e82307b87a7a7bce3ea5ed48f2f2f716 (diff)