acouzens
/
open5gs
1
0
Fork 1
Code Issues Pull Requests 1 Projects Releases Wiki Activity

[PFCP] security vulnerability continued in d99491a

This commit is contained in:
Sukchan Lee 2022-08-16 20:32:42 +09:00
parent dbf6971dcf
commit 444e182288
1 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
lib/pfcp/handler.c
View File

@ -74,10 +74,11 @@ bool ogs_pfcp_cp_handle_association_setup_request(
if (req->up_function_features.presence) { if (req->up_function_features.presence) {
if (req->up_function_features.data && req->up_function_features.len) { if (req->up_function_features.data && req->up_function_features.len) {
node->up_function_features_len = req->up_function_features.len; node->up_function_features_len =
ogs_min(req->up_function_features.len,
sizeof(node->up_function_features));
memcpy(&node->up_function_features, req->up_function_features.data, memcpy(&node->up_function_features, req->up_function_features.data,
ogs_min(sizeof(node->up_function_features), node->up_function_features_len);
node->up_function_features_len));
} }
} }
@ -121,10 +122,11 @@ bool ogs_pfcp_cp_handle_association_setup_response(
if (rsp->up_function_features.presence) { if (rsp->up_function_features.presence) {
if (rsp->up_function_features.data && rsp->up_function_features.len) { if (rsp->up_function_features.data && rsp->up_function_features.len) {
node->up_function_features_len = rsp->up_function_features.len; node->up_function_features_len =
ogs_min(rsp->up_function_features.len,
sizeof(node->up_function_features));
memcpy(&node->up_function_features, rsp->up_function_features.data, memcpy(&node->up_function_features, rsp->up_function_features.data,
ogs_min(sizeof(node->up_function_features), node->up_function_features_len);
node->up_function_features_len));
} }
} }
@ -453,9 +455,9 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_create_pdr(ogs_pfcp_sess_t *sess,
pdr->f_teid_len = 0; pdr->f_teid_len = 0;
if (message->pdi.local_f_teid.presence) { if (message->pdi.local_f_teid.presence) {
pdr->f_teid_len = message->pdi.local_f_teid.len; pdr->f_teid_len =
memcpy(&pdr->f_teid, message->pdi.local_f_teid.data, ogs_min(message->pdi.local_f_teid.len, sizeof(pdr->f_teid));
ogs_min(sizeof(pdr->f_teid), pdr->f_teid_len)); memcpy(&pdr->f_teid, message->pdi.local_f_teid.data, pdr->f_teid_len);
ogs_assert(pdr->f_teid.ipv4 || pdr->f_teid.ipv6); ogs_assert(pdr->f_teid.ipv4 || pdr->f_teid.ipv6);
pdr->f_teid.teid = be32toh(pdr->f_teid.teid); pdr->f_teid.teid = be32toh(pdr->f_teid.teid);
} }
@ -470,19 +472,21 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_create_pdr(ogs_pfcp_sess_t *sess,
pdr->ue_ip_addr_len = 0; pdr->ue_ip_addr_len = 0;
if (message->pdi.ue_ip_address.presence) { if (message->pdi.ue_ip_address.presence) {
pdr->ue_ip_addr_len = message->pdi.ue_ip_address.len; pdr->ue_ip_addr_len =
ogs_min(message->pdi.ue_ip_address.len, sizeof(pdr->ue_ip_addr));
memcpy(&pdr->ue_ip_addr, message->pdi.ue_ip_address.data, memcpy(&pdr->ue_ip_addr, message->pdi.ue_ip_address.data,
ogs_min(sizeof(pdr->ue_ip_addr), pdr->ue_ip_addr_len)); pdr->ue_ip_addr_len);
} }
memset(&pdr->outer_header_removal, 0, sizeof(pdr->outer_header_removal)); memset(&pdr->outer_header_removal, 0, sizeof(pdr->outer_header_removal));
pdr->outer_header_removal_len = 0; pdr->outer_header_removal_len = 0;
if (message->outer_header_removal.presence) { if (message->outer_header_removal.presence) {
pdr->outer_header_removal_len = message->outer_header_removal.len; pdr->outer_header_removal_len =
ogs_min(message->outer_header_removal.len,
sizeof(pdr->outer_header_removal));
memcpy(&pdr->outer_header_removal, message->outer_header_removal.data, memcpy(&pdr->outer_header_removal, message->outer_header_removal.data,
ogs_min(sizeof(pdr->outer_header_removal), pdr->outer_header_removal_len);
pdr->outer_header_removal_len));
} }
pdr->far = NULL; pdr->far = NULL;