fix the SMF/PCRF crash when bearer > 8 (#1108)

2021-07-29 18:10:28 +09:00 · 2021-07-29 18:10:28 +09:00 · 7e5a5d7511
parent acb4db5dd1
commit 7e5a5d7511
3 changed files with 30 additions and 21 deletions
--- a/src/pcrf/pcrf-gx-path.c
+++ b/src/pcrf/pcrf-gx-path.c
@ -1485,16 +1485,24 @@ static int install_flow(ogs_pcc_rule_t *pcc_rule,

        /* Copy Flow to PCC Rule */
        for (j = 0; j < sub->num_of_flow; j++) {
-            ogs_flow_t *rx_flow = &sub->flow[j];
-            ogs_flow_t *gx_flow = &pcc_rule->flow[pcc_rule->num_of_flow];
+            ogs_flow_t *rx_flow = NULL;
+            ogs_flow_t *gx_flow = NULL;

-            rv = flow_rx_to_gx(rx_flow, gx_flow);
-            if (rv != OGS_OK) {
-                ogs_error("flow reformatting error");
+            if (pcc_rule->num_of_flow < OGS_MAX_NUM_OF_FLOW) {
+                rx_flow = &sub->flow[j];
+                gx_flow = &pcc_rule->flow[pcc_rule->num_of_flow];
+
+                rv = flow_rx_to_gx(rx_flow, gx_flow);
+                if (rv != OGS_OK) {
+                    ogs_error("flow reformatting error");
+                    return OGS_ERROR;
+                }
+
+                pcc_rule->num_of_flow++;
+            } else {
+                ogs_error("Overflow: Number of Flow");
                return OGS_ERROR;
            }
-
-            pcc_rule->num_of_flow++;
        }
    }

--- a/src/pcrf/pcrf-rx-path.c
+++ b/src/pcrf/pcrf-rx-path.c
@ -385,13 +385,10 @@ static int pcrf_rx_aar_cb( struct msg **msg, struct avp *avp,
                                        strlen(to_str));
                                }
                            } else {
-                                flow->description = ogs_malloc(
-                                    hdr->avp_value->os.len+1);
-                                ogs_assert(flow->description);
-                                ogs_cpystrn(
-                                    flow->description,
+                                flow->description = ogs_strndup(
                                    (char*)hdr->avp_value->os.data,
-                                    hdr->avp_value->os.len+1);
+                                    hdr->avp_value->os.len);
+                                ogs_assert(flow->description);
                            }

                            sub->num_of_flow++;
--- a/src/smf/gx-path.c
+++ b/src/smf/gx-path.c
@ -631,7 +631,6 @@ static void smf_gx_cca_cb(void *data, struct msg **msg)
    ogs_diam_gx_message_t *gx_message = NULL;
    uint16_t gxbuf_len = 0;
    uint32_t cc_request_number = 0;
-    smf_bearer_t *bearer = NULL;

    ogs_debug("[Credit-Control-Answer]");
    
@ -1017,9 +1016,9 @@ static int smf_gx_rar_cb( struct msg **msg, struct avp *avp,
    smf_sess_t *sess = NULL;
    ogs_diam_gx_message_t *gx_message = NULL;
    ogs_pcc_rule_t *pcc_rule = NULL;
-    smf_bearer_t *bearer = NULL;

    uint32_t result_code = OGS_DIAM_UNKNOWN_SESSION_ID;
+    int error = 0;
 	
    ogs_assert(msg);

@ -1084,9 +1083,16 @@ static int smf_gx_rar_cb( struct msg **msg, struct avp *avp,
                        pcc_rule = &gx_message->session_data.pcc_rule
                                [gx_message->session_data.num_of_pcc_rule];

-                        rv = decode_pcc_rule_definition(pcc_rule, avpch1, NULL);
+                        rv = decode_pcc_rule_definition(
+                                pcc_rule, avpch1, &error);
                        ogs_assert(rv == OGS_OK);

+                        if (error) {
+                            ogs_error("decode_pcc_rule_definition() failed");
+                            result_code = OGS_DIAM_GX_DIAMETER_PCC_RULE_EVENT;
+                            goto out;
+                        }
+
                        pcc_rule->type = OGS_PCC_RULE_TYPE_INSTALL;
                        gx_message->session_data.num_of_pcc_rule++;
                    } else {
@ -1303,16 +1309,14 @@ static int decode_pcc_rule_definition(
                if (avpch3) {
                    ret = fd_msg_avp_hdr(avpch3, &hdr);
                    ogs_assert(ret == 0);
-                    flow->description = ogs_malloc(hdr->avp_value->os.len+1);
+                    flow->description = ogs_strndup(
+                        (char*)hdr->avp_value->os.data, hdr->avp_value->os.len);
                    ogs_assert(flow->description);
-                    ogs_cpystrn(flow->description,
-                        (char*)hdr->avp_value->os.data,
-                        hdr->avp_value->os.len+1);
                }

                pcc_rule->num_of_flow++;
            } else {
-                ogs_error("Overflow: Num of Flow");
+                ogs_error("Overflow: Num of Flow [%d]", pcc_rule->num_of_flow);
                error++;
            }
            break;