From e523392c2c091f53c18edf2086d6966eec38561f Mon Sep 17 00:00:00 2001
From: Daniel Willmann <daniel@totalueberwachung.de>
Date: Tue, 25 Dec 2012 23:15:50 +0100
Subject: lapd: Check in rslms_rx_rll() if lapdm context was initialized
 earlier

This was found while implementing handover on a sysmobts. When we
receive a channel release request for a channel that was never really
activated (set_lapdm_context() was not called) we segfault in
lapd_recv_dlsap().

We now return early with -EINVAL in rslms_rx_rll() if we receive a
message that assumes set_lapdm_context() was already called.

These are:
* RSL_MT_UNIT_DATA_REQ
* RSL_MT_DATA_REQ
* RSL_MT_SUSP_REQ
* RSL_MT_REL_REQ

A test case was added to trigger the issue.
---
 src/gsm/lapdm.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c
index 1c08113e..2bda48ae 100644
--- a/src/gsm/lapdm.c
+++ b/src/gsm/lapdm.c
@@ -1069,8 +1069,24 @@ static int rslms_rx_rll(struct msgb *msg, struct lapdm_channel *lc)
 		return -EINVAL;
 	}
 
-	LOGP(DLLAPD, LOGL_INFO, "(%p) RLL Message '%s' received. (sapi %d)\n",
-		lc->name, rsl_msg_name(msg_type), sapi);
+	switch (msg_type) {
+	case RSL_MT_UNIT_DATA_REQ:
+	case RSL_MT_DATA_REQ:
+	case RSL_MT_SUSP_REQ:
+	case RSL_MT_REL_REQ:
+		/* This is triggered in abnormal error conditions where
+		 * set_lapdm_context() was not called for the channel earlier. */
+		if (!dl->dl.lctx.dl) {
+			LOGP(DLLAPD, LOGL_NOTICE, "(%p) RLL Message '%s' received without LAPDm context. (sapi %d)\n",
+					lc->name, rsl_msg_name(msg_type), sapi);
+			msgb_free(msg);
+			return -EINVAL;
+		}
+		break;
+	default:
+		LOGP(DLLAPD, LOGL_INFO, "(%p) RLL Message '%s' received. (sapi %d)\n",
+			lc->name, rsl_msg_name(msg_type), sapi);
+	}
 
 	switch (msg_type) {
 	case RSL_MT_UNIT_DATA_REQ:
-- 
cgit v1.2.3