From f772bf3a62c3a7a19b291160e6ff556229ce3af7 Mon Sep 17 00:00:00 2001
From: Sukchan Lee <acetcom@gmail.com>
Date: Thu, 4 Aug 2022 09:55:17 +0900
Subject: [PATCH] [PFCP] Revert Changes 5e18b2b and d21e9aa

To protect malicious or buggy, we need to check that session context is NULL.
---
 src/sgwc/pfcp-path.c   |  3 ---
 src/sgwc/sxa-handler.c | 32 +++++++++++++++++++++++++++++---
 src/smf/n4-handler.c   | 14 +++++++++++---
 src/smf/pfcp-path.c    |  3 ---
 src/smf/pfcp-sm.c      | 34 ++++++++++++++++++++++++++++++++--
 5 files changed, 72 insertions(+), 14 deletions(-)

diff --git a/src/sgwc/pfcp-path.c b/src/sgwc/pfcp-path.c
index 709784221..231b51507 100644
--- a/src/sgwc/pfcp-path.c
+++ b/src/sgwc/pfcp-path.c
@@ -378,9 +378,6 @@ int sgwc_pfcp_send_session_report_response(
     ogs_pkbuf_t *sxabuf = NULL;
     ogs_pfcp_header_t h;
 
-    ogs_assert(xact);
-    xact->local_seid = sess->sgwc_sxa_seid;
-
     memset(&h, 0, sizeof(ogs_pfcp_header_t));
     h.type = OGS_PFCP_SESSION_REPORT_RESPONSE_TYPE;
     h.seid = sess->sgwu_sxa_seid;
diff --git a/src/sgwc/sxa-handler.c b/src/sgwc/sxa-handler.c
index a4f5ca277..59c61c7dd 100644
--- a/src/sgwc/sxa-handler.c
+++ b/src/sgwc/sxa-handler.c
@@ -157,7 +157,6 @@ void sgwc_sxa_handle_session_establishment_response(
 
     ogs_debug("Session Establishment Response");
 
-    ogs_assert(sess);
     ogs_assert(pfcp_xact);
     ogs_assert(pfcp_rsp);
     ogs_assert(recv_message);
@@ -172,6 +171,11 @@ void sgwc_sxa_handle_session_establishment_response(
 
     cause_value = OGS_GTP2_CAUSE_REQUEST_ACCEPTED;
 
+    if (!sess) {
+        ogs_error("No Context");
+        cause_value = OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND;
+    }
+
     if (pfcp_rsp->up_f_seid.presence == 0) {
         ogs_error("No UP F-SEID");
         cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_MISSING;
@@ -449,7 +453,6 @@ void sgwc_sxa_handle_session_modification_response(
 
     ogs_debug("Session Modification Response");
 
-    ogs_assert(sess);
     ogs_assert(pfcp_xact);
     ogs_assert(pfcp_rsp);
 
@@ -459,12 +462,31 @@ void sgwc_sxa_handle_session_modification_response(
     cause_value = OGS_GTP2_CAUSE_REQUEST_ACCEPTED;
 
     if (flags & OGS_PFCP_MODIFY_SESSION) {
+        if (!sess) {
+            ogs_error("No Context");
+
+            sess = pfcp_xact->data;
+            ogs_assert(sess);
+
+            cause_value = OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND;
+        }
+
         sgwc_ue = sess->sgwc_ue;
         ogs_assert(sgwc_ue);
 
     } else {
         bearer = pfcp_xact->data;
         ogs_assert(bearer);
+
+        if (!sess) {
+            ogs_error("No Context");
+
+            sess = bearer->sess;
+            ogs_assert(sess);
+
+            cause_value = OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND;
+        }
+
         sgwc_ue = bearer->sgwc_ue;
         ogs_assert(sgwc_ue);
     }
@@ -1185,12 +1207,16 @@ void sgwc_sxa_handle_session_deletion_response(
 
     ogs_debug("Session Deletion Response");
 
-    ogs_assert(sess);
     ogs_assert(pfcp_xact);
     ogs_assert(pfcp_rsp);
 
     cause_value = OGS_GTP2_CAUSE_REQUEST_ACCEPTED;
 
+    if (!sess) {
+        ogs_error("No Context");
+        cause_value = OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND;
+    }
+
     if (pfcp_rsp->cause.presence) {
         if (pfcp_rsp->cause.u8 != OGS_PFCP_CAUSE_REQUEST_ACCEPTED) {
             ogs_warn("PFCP Cause[%d] : Not Accepted", pfcp_rsp->cause.u8);
diff --git a/src/smf/n4-handler.c b/src/smf/n4-handler.c
index 7a2ebc4c4..1fe0ef10b 100644
--- a/src/smf/n4-handler.c
+++ b/src/smf/n4-handler.c
@@ -255,7 +255,6 @@ void smf_5gc_n4_handle_session_modification_response(
 
     ogs_debug("Session Modification Response [5gc]");
 
-    ogs_assert(sess);
     ogs_assert(xact);
     ogs_assert(rsp);
 
@@ -280,6 +279,11 @@ void smf_5gc_n4_handle_session_modification_response(
 
     status = OGS_SBI_HTTP_STATUS_OK;
 
+    if (!sess) {
+        ogs_error("No Context");
+        status = OGS_SBI_HTTP_STATUS_NOT_FOUND;
+    }
+
     if (rsp->cause.presence) {
         if (rsp->cause.u8 != OGS_PFCP_CAUSE_REQUEST_ACCEPTED) {
             ogs_warn("PFCP Cause [%d] : Not Accepted", rsp->cause.u8);
@@ -794,7 +798,6 @@ void smf_epc_n4_handle_session_modification_response(
 
     OGS_LIST(pdr_to_create_list);
 
-    ogs_assert(sess);
     ogs_assert(xact);
     ogs_assert(rsp);
 
@@ -823,6 +826,11 @@ void smf_epc_n4_handle_session_modification_response(
 
     ogs_pfcp_xact_commit(xact);
 
+    if (!sess) {
+        ogs_error("No Context");
+        return;
+    }
+
     if (rsp->cause.presence) {
         if (rsp->cause.u8 != OGS_PFCP_CAUSE_REQUEST_ACCEPTED) {
             ogs_error("PFCP Cause [%d] : Not Accepted", rsp->cause.u8);
@@ -1106,7 +1114,7 @@ void smf_n4_handle_session_report_request(
     cause_value = OGS_GTP2_CAUSE_REQUEST_ACCEPTED;
 
     if (!sess) {
-        ogs_warn("No Context");
+        ogs_error("No Context");
         cause_value = OGS_PFCP_CAUSE_SESSION_CONTEXT_NOT_FOUND;
     }
 
diff --git a/src/smf/pfcp-path.c b/src/smf/pfcp-path.c
index ebb2cd9cb..94323b8bf 100644
--- a/src/smf/pfcp-path.c
+++ b/src/smf/pfcp-path.c
@@ -692,9 +692,6 @@ int smf_pfcp_send_session_report_response(
     ogs_pkbuf_t *sxabuf = NULL;
     ogs_pfcp_header_t h;
 
-    ogs_assert(xact);
-    xact->local_seid = sess->smf_n4_seid;
-
     memset(&h, 0, sizeof(ogs_pfcp_header_t));
     h.type = OGS_PFCP_SESSION_REPORT_RESPONSE_TYPE;
     h.seid = sess->upf_n4_seid;
diff --git a/src/smf/pfcp-sm.c b/src/smf/pfcp-sm.c
index 32da6115b..c51394bdc 100644
--- a/src/smf/pfcp-sm.c
+++ b/src/smf/pfcp-sm.c
@@ -222,7 +222,22 @@ void smf_pfcp_state_associated(ogs_fsm_t *s, smf_event_t *e)
         case OGS_PFCP_SESSION_ESTABLISHMENT_RESPONSE_TYPE:
             if (!message->h.seid_presence) ogs_error("No SEID");
 
-            ogs_assert(sess);
+            if (!sess) {
+                ogs_gtp_xact_t *gtp_xact = xact->assoc_xact;
+                if (!gtp_xact) {
+                    ogs_error("No associated GTP transaction");
+                    break;
+                }
+                if (gtp_xact->gtp_version == 1)
+                    ogs_gtp1_send_error_message(gtp_xact, 0,
+                        OGS_GTP1_CREATE_PDP_CONTEXT_RESPONSE_TYPE,
+                        OGS_GTP1_CAUSE_CONTEXT_NOT_FOUND);
+                else
+                    ogs_gtp2_send_error_message(gtp_xact, 0,
+                        OGS_GTP2_CREATE_SESSION_RESPONSE_TYPE,
+                        OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND);
+                break;
+            }
             ogs_fsm_dispatch(&sess->sm, e);
             break;
 
@@ -241,7 +256,22 @@ void smf_pfcp_state_associated(ogs_fsm_t *s, smf_event_t *e)
         case OGS_PFCP_SESSION_DELETION_RESPONSE_TYPE:
             if (!message->h.seid_presence) ogs_error("No SEID");
 
-            ogs_assert(sess);
+            if (!sess) {
+                ogs_gtp_xact_t *gtp_xact = xact->assoc_xact;
+                if (!gtp_xact) {
+                    ogs_error("No associated GTP transaction");
+                    break;
+                }
+                if (gtp_xact->gtp_version == 1)
+                    ogs_gtp1_send_error_message(gtp_xact, 0,
+                        OGS_GTP1_DELETE_PDP_CONTEXT_RESPONSE_TYPE,
+                        OGS_GTP1_CAUSE_CONTEXT_NOT_FOUND);
+                else
+                    ogs_gtp2_send_error_message(gtp_xact, 0,
+                        OGS_GTP2_DELETE_SESSION_RESPONSE_TYPE,
+                        OGS_GTP2_CAUSE_CONTEXT_NOT_FOUND);
+                break;
+            }
             ogs_fsm_dispatch(&sess->sm, e);
             break;