acouzens
/
open5gs
1
0
Fork 1
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Fixed a crash when slice/session overflow (#1637)

This commit is contained in:
Sukchan Lee 2022-06-30 13:33:16 +09:00
parent ad159d1755
commit 50be661cf9
9 changed files with 92 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/amf/context.c
View File

@ -2057,7 +2057,9 @@ void amf_clear_subscribed_info(amf_ue_t *amf_ue)
ogs_assert(amf_ue);
ogs_assert(amf_ue->num_of_slice <= OGS_MAX_NUM_OF_SLICE);
for (i = 0; i < amf_ue->num_of_slice; i++) {
ogs_assert(amf_ue->slice[i].num_of_session <= OGS_MAX_NUM_OF_SESS);
for (j = 0; j < amf_ue->slice[i].num_of_session; j++) {
ogs_assert(amf_ue->slice[i].session[j].name);
ogs_free(amf_ue->slice[i].session[j].name);

18
src/amf/gmm-handler.c
View File

@ -1000,6 +1000,11 @@ int gmm_handle_ul_nas_transport(amf_ue_t *amf_ue,
for (i = 0; i < amf_ue->num_of_slice; i++) {
if (i >= OGS_MAX_NUM_OF_SLICE) {
ogs_warn("Ignore max slice count overflow [%d>=%d]",
amf_ue->num_of_slice, OGS_MAX_NUM_OF_SLICE);
break;
}
if (ul_nas_transport->presencemask &
OGS_NAS_5GS_UL_NAS_TRANSPORT_S_NSSAI_PRESENT) {
ogs_nas_s_nssai_ie_t ie;
@ -1015,6 +1020,12 @@ int gmm_handle_ul_nas_transport(amf_ue_t *amf_ue,
}
}
for (j = 0; j < amf_ue->allowed_nssai.num_of_s_nssai; j++) {
if (j >= OGS_MAX_NUM_OF_SLICE) {
ogs_warn("Ignore max slice count overflow [%d>=%d]",
amf_ue->allowed_nssai.num_of_s_nssai,
OGS_MAX_NUM_OF_SLICE);
break;
}
if (amf_ue->slice[i].s_nssai.sst ==
amf_ue->allowed_nssai.s_nssai[j].sst &&
amf_ue->slice[i].s_nssai.sd.v ==
@ -1025,6 +1036,13 @@ int gmm_handle_ul_nas_transport(amf_ue_t *amf_ue,
for (k = 0;
k < amf_ue->slice[i].num_of_session; k++) {
if (k >= OGS_MAX_NUM_OF_SESS) {
ogs_warn("Ignore max session "
"count overflow [%d>=%d]",
amf_ue->slice[i].num_of_session,
OGS_MAX_NUM_OF_SESS);
break;
}
if (!strcmp(dnn->value,
amf_ue->slice[i].session[k].name)) {

10
src/hss/hss-s6a-path.c
View File

@ -566,7 +566,15 @@ static int hss_ogs_diam_s6a_ulr_cb( struct msg **msg, struct avp *avp,
struct avp *pdn_gw_allocation_type;
struct avp *vplmn_dynamic_address_allowed;
ogs_session_t *session = &slice_data->session[i];
ogs_session_t *session = NULL;
if (i >= OGS_MAX_NUM_OF_SESS) {
ogs_warn("Ignore max session count overflow [%d>=%d]",
slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
break;
}
session = &slice_data->session[i];
ogs_assert(session);
session->context_identifier = i+1;

10
src/hss/hss-swx-path.c
View File

@ -592,7 +592,15 @@ static int hss_ogs_diam_swx_sar_cb( struct msg **msg, struct avp *avp,
struct avp *pdn_gw_allocation_type;
struct avp *vplmn_dynamic_address_allowed;
ogs_session_t *session = &slice_data->session[i];
ogs_session_t *session = NULL;
if (i >= OGS_MAX_NUM_OF_SESS) {
ogs_warn("Ignore max session count overflow [%d>=%d]",
slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
break;
}
session = &slice_data->session[i];
ogs_assert(session);
session->context_identifier = i+1;

3
src/mme/mme-context.c
View File

@ -3281,6 +3281,7 @@ void mme_session_remove_all(mme_ue_t *mme_ue)
ogs_assert(mme_ue);
ogs_assert(mme_ue->num_of_session <= OGS_MAX_NUM_OF_SESS);
for (i = 0; i < mme_ue->num_of_session; i++) {
if (mme_ue->session[i].name)
ogs_free(mme_ue->session[i].name);
@ -3297,6 +3298,7 @@ ogs_session_t *mme_session_find_by_apn(mme_ue_t *mme_ue, char *apn)
ogs_assert(mme_ue);
ogs_assert(apn);
ogs_assert(mme_ue->num_of_session <= OGS_MAX_NUM_OF_SESS);
for (i = 0; i < mme_ue->num_of_session; i++) {
session = &mme_ue->session[i];
ogs_assert(session->name);
@ -3314,6 +3316,7 @@ ogs_session_t *mme_default_session(mme_ue_t *mme_ue)
ogs_assert(mme_ue);
ogs_assert(mme_ue->num_of_session <= OGS_MAX_NUM_OF_SESS);
for (i = 0; i < mme_ue->num_of_session; i++) {
session = &mme_ue->session[i];
if (session->context_identifier == mme_ue->context_identifier)

10
src/mme/mme-fd-path.c
View File

@ -913,8 +913,14 @@ static void mme_s6a_ula_cb(void *data, struct msg **msg)
*/
case OGS_DIAM_S6A_AVP_CODE_APN_CONFIGURATION:
{
ogs_session_t *session =
&slice_data->session[slice_data->num_of_session];
ogs_session_t *session = NULL;
if (slice_data->num_of_session >= OGS_MAX_NUM_OF_SESS) {
ogs_warn("Ignore max session count overflow [%d>=%d]",
slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
break;
}
session = &slice_data->session[slice_data->num_of_session];
ogs_assert(session);
/* AVP: 'Service-Selection'(493)

4
src/mme/mme-s11-handler.c
View File

@ -1111,7 +1111,7 @@ void mme_s11_handle_release_access_bearers_response(
* Check MME-UE Context
***********************/
if (!mme_ue_from_teid) {
ogs_error("No Context in TEID");
ogs_error("No Context in TEID [ACTION:%d]", action);
}
/********************
@ -1123,7 +1123,7 @@ void mme_s11_handle_release_access_bearers_response(
cause_value = cause->value;
if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED)
ogs_error("GTP Failed [CAUSE:%d]", cause_value);
ogs_error("GTP Failed [CAUSE:%d, ACTION:%d]", cause_value, action);
}
/********************

12
src/mme/mme-s6a-handler.c
View File

@ -67,10 +67,13 @@ void mme_s6a_handle_ula(mme_ue_t *mme_ue,
mme_session_remove_all(mme_ue);
mme_ue->num_of_session = slice_data->num_of_session;
mme_ue->context_identifier = slice_data->context_identifier;
for (i = 0; i < slice_data->num_of_session; i++) {
if (i >= OGS_MAX_NUM_OF_SESS) {
ogs_warn("Ignore max session count overflow [%d>=%d]",
slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
break;
}
mme_ue->session[i].name = ogs_strdup(slice_data->session[i].name);
ogs_assert(mme_ue->session[i].name);
@ -89,4 +92,7 @@ void mme_s6a_handle_ula(mme_ue_t *mme_ue,
memcpy(&mme_ue->session[i].smf_ip, &slice_data->session[i].smf_ip,
sizeof(mme_ue->session[i].smf_ip));
}
mme_ue->num_of_session = i;
mme_ue->context_identifier = slice_data->context_identifier;
}

35
src/udr/nudr-handler.c
View File

@ -539,13 +539,26 @@ bool udr_nudr_dr_handle_subscription_provisioned(
ogs_assert(SubscribedSnssaiInfoList);
for (i = 0; i < subscription_data.num_of_slice; i++) {
if (i >= OGS_MAX_NUM_OF_SLICE) {
ogs_warn("Ignore max slice count overflow [%d>=%d]",
subscription_data.num_of_slice, OGS_MAX_NUM_OF_SLICE);
break;
}
slice_data = &subscription_data.slice[i];
DnnInfoList = OpenAPI_list_create();
ogs_assert(DnnInfoList);
for (j = 0; j < slice_data->num_of_session; j++) {
ogs_session_t *session = &slice_data->session[j];
ogs_session_t *session = NULL;
if (j >= OGS_MAX_NUM_OF_SESS) {
ogs_warn("Ignore max session count overflow [%d>=%d]",
slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
break;
}
session = &slice_data->session[j];
ogs_assert(session);
ogs_assert(session->name);
@ -662,7 +675,15 @@ bool udr_nudr_dr_handle_subscription_provisioned(
dnnConfigurationList = OpenAPI_list_create();
for (i = 0; i < slice_data->num_of_session; i++) {
ogs_session_t *session = &slice_data->session[i];
ogs_session_t *session = NULL;
if (i >= OGS_MAX_NUM_OF_SESS) {
ogs_warn("Ignore max session count overflow [%d>=%d]",
slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
break;
}
session = &slice_data->session[i];
ogs_assert(session);
ogs_assert(session->name);
@ -1024,7 +1045,15 @@ bool udr_nudr_dr_handle_policy_data(
slice_data = &subscription_data.slice[0];
for (i = 0; i < slice_data->num_of_session; i++) {
ogs_session_t *session = &slice_data->session[i];
ogs_session_t *session = NULL;
if (i >= OGS_MAX_NUM_OF_SESS) {
ogs_warn("Ignore max session count overflow [%d>=%d]",
slice_data->num_of_session, OGS_MAX_NUM_OF_SESS);
break;
}
session = &slice_data->session[i];
ogs_assert(session);
ogs_assert(session->name);