gprs: Fix gprs_msgb_copy pointer computation
Currently the pointers are computed by adding an offset to the new
message's _data pointer even when the original pointer is NULL.
This leads to invalid pointers in the copied msgb.
This patch adds a NULL check to each computation such that NULL
pointers are not adjusted.
Sponsored-by: On-Waves ehf
diff --git a/openbsc/src/gprs/gprs_utils.c b/openbsc/src/gprs/gprs_utils.c
index 55d4efd..c620454 100644
--- a/openbsc/src/gprs/gprs_utils.c
+++ b/openbsc/src/gprs/gprs_utils.c
@@ -47,21 +47,29 @@
new_msg->head += msg->head - msg->_data;
new_msg->tail += msg->tail - msg->_data;
- new_msg->l1h = new_msg->_data + (msg->l1h - msg->_data);
- new_msg->l2h = new_msg->_data + (msg->l2h - msg->_data);
- new_msg->l3h = new_msg->_data + (msg->l3h - msg->_data);
- new_msg->l4h = new_msg->_data + (msg->l4h - msg->_data);
+ if (msg->l1h)
+ new_msg->l1h = new_msg->_data + (msg->l1h - msg->_data);
+ if (msg->l2h)
+ new_msg->l2h = new_msg->_data + (msg->l2h - msg->_data);
+ if (msg->l3h)
+ new_msg->l3h = new_msg->_data + (msg->l3h - msg->_data);
+ if (msg->l4h)
+ new_msg->l4h = new_msg->_data + (msg->l4h - msg->_data);
/* copy GB specific data */
old_cb = LIBGB_MSGB_CB(msg);
new_cb = LIBGB_MSGB_CB(new_msg);
- new_cb->bssgph = new_msg->_data + (old_cb->bssgph - msg->_data);
- new_cb->llch = new_msg->_data + (old_cb->llch - msg->_data);
+ if (old_cb->bssgph)
+ new_cb->bssgph = new_msg->_data + (old_cb->bssgph - msg->_data);
+ if (old_cb->llch)
+ new_cb->llch = new_msg->_data + (old_cb->llch - msg->_data);
/* bssgp_cell_id is a pointer into the old msgb, so we need to make
* it a pointer into the new msgb */
- new_cb->bssgp_cell_id = new_msg->_data + (old_cb->bssgp_cell_id - msg->_data);
+ if (old_cb->bssgp_cell_id)
+ new_cb->bssgp_cell_id = new_msg->_data +
+ (old_cb->bssgp_cell_id - msg->_data);
new_cb->nsei = old_cb->nsei;
new_cb->bvci = old_cb->bvci;
new_cb->tlli = old_cb->tlli;