diff --git a/src/amf/context.c b/src/amf/context.c index cdf12fb07..3df017967 100644 --- a/src/amf/context.c +++ b/src/amf/context.c @@ -2057,7 +2057,9 @@ void amf_clear_subscribed_info(amf_ue_t *amf_ue) ogs_assert(amf_ue); + ogs_assert(amf_ue->num_of_slice <= OGS_MAX_NUM_OF_SLICE); for (i = 0; i < amf_ue->num_of_slice; i++) { + ogs_assert(amf_ue->slice[i].num_of_session <= OGS_MAX_NUM_OF_SESS); for (j = 0; j < amf_ue->slice[i].num_of_session; j++) { ogs_assert(amf_ue->slice[i].session[j].name); ogs_free(amf_ue->slice[i].session[j].name); diff --git a/src/amf/gmm-handler.c b/src/amf/gmm-handler.c index d75922699..9cf5a1d9e 100644 --- a/src/amf/gmm-handler.c +++ b/src/amf/gmm-handler.c @@ -1000,6 +1000,11 @@ int gmm_handle_ul_nas_transport(amf_ue_t *amf_ue, for (i = 0; i < amf_ue->num_of_slice; i++) { + if (i >= OGS_MAX_NUM_OF_SLICE) { + ogs_warn("Ignore max slice count overflow [%d>=%d]", + amf_ue->num_of_slice, OGS_MAX_NUM_OF_SLICE); + break; + } if (ul_nas_transport->presencemask & OGS_NAS_5GS_UL_NAS_TRANSPORT_S_NSSAI_PRESENT) { ogs_nas_s_nssai_ie_t ie; @@ -1015,6 +1020,12 @@ int gmm_handle_ul_nas_transport(amf_ue_t *amf_ue, } } for (j = 0; j < amf_ue->allowed_nssai.num_of_s_nssai; j++) { + if (j >= OGS_MAX_NUM_OF_SLICE) { + ogs_warn("Ignore max slice count overflow [%d>=%d]", + amf_ue->allowed_nssai.num_of_s_nssai, + OGS_MAX_NUM_OF_SLICE); + break; + } if (amf_ue->slice[i].s_nssai.sst == amf_ue->allowed_nssai.s_nssai[j].sst && amf_ue->slice[i].s_nssai.sd.v == @@ -1025,6 +1036,13 @@ int gmm_handle_ul_nas_transport(amf_ue_t *amf_ue, for (k = 0; k < amf_ue->slice[i].num_of_session; k++) { + if (k >= OGS_MAX_NUM_OF_SESS) { + ogs_warn("Ignore max session " + "count overflow [%d>=%d]", + amf_ue->slice[i].num_of_session, + OGS_MAX_NUM_OF_SESS); + break; + } if (!strcmp(dnn->value, amf_ue->slice[i].session[k].name)) { diff --git a/src/hss/hss-s6a-path.c b/src/hss/hss-s6a-path.c index 5ab3ea38f..94b5982eb 100644 --- a/src/hss/hss-s6a-path.c +++ b/src/hss/hss-s6a-path.c @@ -566,7 +566,15 @@ static int hss_ogs_diam_s6a_ulr_cb( struct msg **msg, struct avp *avp, struct avp *pdn_gw_allocation_type; struct avp *vplmn_dynamic_address_allowed; - ogs_session_t *session = &slice_data->session[i]; + ogs_session_t *session = NULL; + + if (i >= OGS_MAX_NUM_OF_SESS) { + ogs_warn("Ignore max session count overflow [%d>=%d]", + slice_data->num_of_session, OGS_MAX_NUM_OF_SESS); + break; + } + + session = &slice_data->session[i]; ogs_assert(session); session->context_identifier = i+1; diff --git a/src/hss/hss-swx-path.c b/src/hss/hss-swx-path.c index d54dd6f76..c85029fb6 100644 --- a/src/hss/hss-swx-path.c +++ b/src/hss/hss-swx-path.c @@ -592,7 +592,15 @@ static int hss_ogs_diam_swx_sar_cb( struct msg **msg, struct avp *avp, struct avp *pdn_gw_allocation_type; struct avp *vplmn_dynamic_address_allowed; - ogs_session_t *session = &slice_data->session[i]; + ogs_session_t *session = NULL; + + if (i >= OGS_MAX_NUM_OF_SESS) { + ogs_warn("Ignore max session count overflow [%d>=%d]", + slice_data->num_of_session, OGS_MAX_NUM_OF_SESS); + break; + } + + session = &slice_data->session[i]; ogs_assert(session); session->context_identifier = i+1; diff --git a/src/mme/mme-context.c b/src/mme/mme-context.c index 2d0f33a23..aea4aeb94 100644 --- a/src/mme/mme-context.c +++ b/src/mme/mme-context.c @@ -3281,6 +3281,7 @@ void mme_session_remove_all(mme_ue_t *mme_ue) ogs_assert(mme_ue); + ogs_assert(mme_ue->num_of_session <= OGS_MAX_NUM_OF_SESS); for (i = 0; i < mme_ue->num_of_session; i++) { if (mme_ue->session[i].name) ogs_free(mme_ue->session[i].name); @@ -3297,6 +3298,7 @@ ogs_session_t *mme_session_find_by_apn(mme_ue_t *mme_ue, char *apn) ogs_assert(mme_ue); ogs_assert(apn); + ogs_assert(mme_ue->num_of_session <= OGS_MAX_NUM_OF_SESS); for (i = 0; i < mme_ue->num_of_session; i++) { session = &mme_ue->session[i]; ogs_assert(session->name); @@ -3314,6 +3316,7 @@ ogs_session_t *mme_default_session(mme_ue_t *mme_ue) ogs_assert(mme_ue); + ogs_assert(mme_ue->num_of_session <= OGS_MAX_NUM_OF_SESS); for (i = 0; i < mme_ue->num_of_session; i++) { session = &mme_ue->session[i]; if (session->context_identifier == mme_ue->context_identifier) diff --git a/src/mme/mme-fd-path.c b/src/mme/mme-fd-path.c index c03c3f6d2..bf988a008 100644 --- a/src/mme/mme-fd-path.c +++ b/src/mme/mme-fd-path.c @@ -913,8 +913,14 @@ static void mme_s6a_ula_cb(void *data, struct msg **msg) */ case OGS_DIAM_S6A_AVP_CODE_APN_CONFIGURATION: { - ogs_session_t *session = - &slice_data->session[slice_data->num_of_session]; + ogs_session_t *session = NULL; + + if (slice_data->num_of_session >= OGS_MAX_NUM_OF_SESS) { + ogs_warn("Ignore max session count overflow [%d>=%d]", + slice_data->num_of_session, OGS_MAX_NUM_OF_SESS); + break; + } + session = &slice_data->session[slice_data->num_of_session]; ogs_assert(session); /* AVP: 'Service-Selection'(493) diff --git a/src/mme/mme-s11-handler.c b/src/mme/mme-s11-handler.c index 744757956..4ed29b868 100644 --- a/src/mme/mme-s11-handler.c +++ b/src/mme/mme-s11-handler.c @@ -1111,7 +1111,7 @@ void mme_s11_handle_release_access_bearers_response( * Check MME-UE Context ***********************/ if (!mme_ue_from_teid) { - ogs_error("No Context in TEID"); + ogs_error("No Context in TEID [ACTION:%d]", action); } /******************** @@ -1123,7 +1123,7 @@ void mme_s11_handle_release_access_bearers_response( cause_value = cause->value; if (cause_value != OGS_GTP2_CAUSE_REQUEST_ACCEPTED) - ogs_error("GTP Failed [CAUSE:%d]", cause_value); + ogs_error("GTP Failed [CAUSE:%d, ACTION:%d]", cause_value, action); } /******************** diff --git a/src/mme/mme-s6a-handler.c b/src/mme/mme-s6a-handler.c index 2e65df67e..1864b7790 100644 --- a/src/mme/mme-s6a-handler.c +++ b/src/mme/mme-s6a-handler.c @@ -67,10 +67,13 @@ void mme_s6a_handle_ula(mme_ue_t *mme_ue, mme_session_remove_all(mme_ue); - mme_ue->num_of_session = slice_data->num_of_session; - mme_ue->context_identifier = slice_data->context_identifier; - for (i = 0; i < slice_data->num_of_session; i++) { + if (i >= OGS_MAX_NUM_OF_SESS) { + ogs_warn("Ignore max session count overflow [%d>=%d]", + slice_data->num_of_session, OGS_MAX_NUM_OF_SESS); + break; + } + mme_ue->session[i].name = ogs_strdup(slice_data->session[i].name); ogs_assert(mme_ue->session[i].name); @@ -89,4 +92,7 @@ void mme_s6a_handle_ula(mme_ue_t *mme_ue, memcpy(&mme_ue->session[i].smf_ip, &slice_data->session[i].smf_ip, sizeof(mme_ue->session[i].smf_ip)); } + + mme_ue->num_of_session = i; + mme_ue->context_identifier = slice_data->context_identifier; } diff --git a/src/udr/nudr-handler.c b/src/udr/nudr-handler.c index 09a73d8de..7ece34180 100644 --- a/src/udr/nudr-handler.c +++ b/src/udr/nudr-handler.c @@ -539,13 +539,26 @@ bool udr_nudr_dr_handle_subscription_provisioned( ogs_assert(SubscribedSnssaiInfoList); for (i = 0; i < subscription_data.num_of_slice; i++) { + if (i >= OGS_MAX_NUM_OF_SLICE) { + ogs_warn("Ignore max slice count overflow [%d>=%d]", + subscription_data.num_of_slice, OGS_MAX_NUM_OF_SLICE); + break; + } slice_data = &subscription_data.slice[i]; DnnInfoList = OpenAPI_list_create(); ogs_assert(DnnInfoList); for (j = 0; j < slice_data->num_of_session; j++) { - ogs_session_t *session = &slice_data->session[j]; + ogs_session_t *session = NULL; + + if (j >= OGS_MAX_NUM_OF_SESS) { + ogs_warn("Ignore max session count overflow [%d>=%d]", + slice_data->num_of_session, OGS_MAX_NUM_OF_SESS); + break; + } + + session = &slice_data->session[j]; ogs_assert(session); ogs_assert(session->name); @@ -662,7 +675,15 @@ bool udr_nudr_dr_handle_subscription_provisioned( dnnConfigurationList = OpenAPI_list_create(); for (i = 0; i < slice_data->num_of_session; i++) { - ogs_session_t *session = &slice_data->session[i]; + ogs_session_t *session = NULL; + + if (i >= OGS_MAX_NUM_OF_SESS) { + ogs_warn("Ignore max session count overflow [%d>=%d]", + slice_data->num_of_session, OGS_MAX_NUM_OF_SESS); + break; + } + + session = &slice_data->session[i]; ogs_assert(session); ogs_assert(session->name); @@ -1024,7 +1045,15 @@ bool udr_nudr_dr_handle_policy_data( slice_data = &subscription_data.slice[0]; for (i = 0; i < slice_data->num_of_session; i++) { - ogs_session_t *session = &slice_data->session[i]; + ogs_session_t *session = NULL; + + if (i >= OGS_MAX_NUM_OF_SESS) { + ogs_warn("Ignore max session count overflow [%d>=%d]", + slice_data->num_of_session, OGS_MAX_NUM_OF_SESS); + break; + } + + session = &slice_data->session[i]; ogs_assert(session); ogs_assert(session->name);