From 777be2e734b95ab9982a20c22f134d004a78c961 Mon Sep 17 00:00:00 2001
From: Max <msuraev@sysmocom.de>
Date: Wed, 1 Mar 2017 18:16:44 +0100
Subject: Check for proper lapdm_datalink entity

Previously lapdm_datalink->entity->mode was dereferenced without
checking if correct entity is present. This might lead to
segfault. Check it explicitly before dereferencing, log error and
gracefully return if necessary.

Change-Id: I0361e3731e86712b415a370cab1128d611988f56
Related: OS#1898
---
 src/gsm/lapdm.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c
index fa7769b2..1fdf311c 100644
--- a/src/gsm/lapdm.c
+++ b/src/gsm/lapdm.c
@@ -852,10 +852,16 @@ static int rslms_rx_rll_udata_req(struct msgb *msg, struct lapdm_datalink *dl)
 	struct abis_rsl_rll_hdr *rllh = msgb_l2(msg);
 	uint8_t chan_nr = rllh->chan_nr;
 	uint8_t link_id = rllh->link_id;
-	int ui_bts = (le->mode == LAPDM_MODE_BTS && (link_id & 0x40));
 	uint8_t sapi = link_id & 7;
 	struct tlv_parsed tv;
-	int length;
+	int length, ui_bts;
+
+	if (!le) {
+		LOGP(DLLAPD, LOGL_ERROR, "lapdm_datalink without entity error\n");
+		msgb_free(msg);
+		return -EMLINK;
+	}
+	ui_bts = (le->mode == LAPDM_MODE_BTS && (link_id & 0x40));
 
 	/* check if the layer3 message length exceeds N201 */
 
-- 
cgit v1.2.3