sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[SEC] fix Assertion `0 < ogs_fadn_parse` (#3207)

This commit is contained in:
Sukchan Lee 2024-05-18 19:48:03 +09:00
parent 4599b273fa
commit 05deed616c
7 changed files with 73 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
lib/pfcp/handler.c
View File

@ -518,12 +518,13 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_create_pdr(ogs_pfcp_sess_t *sess,
if (message->pdi.network_instance.presence) {
char dnn[OGS_MAX_DNN_LEN+1];
ogs_assert(0 < ogs_fqdn_parse(dnn,
message->pdi.network_instance.data,
ogs_min(message->pdi.network_instance.len, OGS_MAX_DNN_LEN)));
pdr->dnn = ogs_strdup(dnn);
ogs_assert(pdr->dnn);
if (ogs_fqdn_parse(dnn, message->pdi.network_instance.data,
ogs_min(message->pdi.network_instance.len, OGS_MAX_DNN_LEN)) > 0) {
pdr->dnn = ogs_strdup(dnn);
ogs_assert(pdr->dnn);
} else {
ogs_error("Invalid pdi.network_instance");
}
}
pdr->chid = false;
@ -855,14 +856,16 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_update_pdr(ogs_pfcp_sess_t *sess,
if (message->pdi.network_instance.presence) {
char dnn[OGS_MAX_DNN_LEN+1];
ogs_assert(0 < ogs_fqdn_parse(dnn,
message->pdi.network_instance.data,
ogs_min(message->pdi.network_instance.len, OGS_MAX_DNN_LEN)));
if (pdr->dnn)
ogs_free(pdr->dnn);
pdr->dnn = ogs_strdup(dnn);
ogs_assert(pdr->dnn);
if (ogs_fqdn_parse(dnn, message->pdi.network_instance.data,
ogs_min(message->pdi.network_instance.len,
OGS_MAX_DNN_LEN)) > 0) {
if (pdr->dnn)
ogs_free(pdr->dnn);
pdr->dnn = ogs_strdup(dnn);
ogs_assert(pdr->dnn);
} else {
ogs_error("Invalid pdi.network_instance");
}
}
if (message->pdi.local_f_teid.presence) {
@ -964,13 +967,15 @@ ogs_pfcp_far_t *ogs_pfcp_handle_create_far(ogs_pfcp_sess_t *sess,
if (message->forwarding_parameters.network_instance.presence) {
char dnn[OGS_MAX_DNN_LEN+1];
ogs_assert(0 < ogs_fqdn_parse(dnn,
if (ogs_fqdn_parse(dnn,
message->forwarding_parameters.network_instance.data,
ogs_min(message->forwarding_parameters.network_instance.len,
OGS_MAX_DNN_LEN)));
far->dnn = ogs_strdup(dnn);
ogs_assert(far->dnn);
ogs_min(message->forwarding_parameters.network_instance.len,
OGS_MAX_DNN_LEN)) > 0) {
far->dnn = ogs_strdup(dnn);
ogs_assert(far->dnn);
} else {
ogs_error("Invalid forwarding_parameters.network_instance");
}
}
if (message->forwarding_parameters.outer_header_creation.presence) {
@ -1069,15 +1074,18 @@ ogs_pfcp_far_t *ogs_pfcp_handle_update_far(ogs_pfcp_sess_t *sess,
if (message->update_forwarding_parameters.network_instance.presence) {
char dnn[OGS_MAX_DNN_LEN+1];
ogs_assert(0 < ogs_fqdn_parse(dnn,
if (ogs_fqdn_parse(dnn,
message->update_forwarding_parameters.network_instance.data,
ogs_min(message->update_forwarding_parameters.
network_instance.len, OGS_MAX_DNN_LEN)));
if (far->dnn)
ogs_free(far->dnn);
far->dnn = ogs_strdup(dnn);
ogs_assert(far->dnn);
ogs_min(message->update_forwarding_parameters.
network_instance.len, OGS_MAX_DNN_LEN)) > 0) {
if (far->dnn)
ogs_free(far->dnn);
far->dnn = ogs_strdup(dnn);
ogs_assert(far->dnn);
} else {
ogs_error("Invalid "
"update_forwarding_parameters.network_instance");
}
}
if (message->update_forwarding_parameters.

8
lib/pfcp/types.c
View File

@ -173,9 +173,11 @@ int16_t ogs_pfcp_parse_user_plane_ip_resource_info(
int len = octet->len - size;
if (info->assosi) len--;
ogs_assert(0 < ogs_fqdn_parse(
info->network_instance, (char *)octet->data + size,
ogs_min(len, OGS_MAX_APN_LEN)));
if (ogs_fqdn_parse(info->network_instance, (char *)octet->data + size,
ogs_min(len, OGS_MAX_APN_LEN)) <= 0) {
ogs_error("Invalid info->network_instance");
info->network_instance[0] = 0;
}
size += len;
}

4
lib/proto/types.c
View File

@ -419,8 +419,8 @@ int ogs_fqdn_parse(char *dst, const char *src, int length)
while (i+1 < length) {
len = src[i++];
if ((j + len + 1) > length) {
ogs_error("Invalid FQDN encoding[len:%d] + 1 > length[%d]",
len, length);
ogs_error("Invalid FQDN encoding[j:%d+len:%d] + 1 > length[%d]",
j, len, length);
ogs_log_hexdump(OGS_LOG_ERROR, (unsigned char *)src, length);
return 0;
}

8
src/mme/sgsap-handler.c
View File

@ -332,9 +332,11 @@ void sgsap_handle_paging_request(mme_vlr_t *vlr, ogs_pkbuf_t *pkbuf)
nas_mobile_identity_imsi_len = iter->length;
break;
case SGSAP_IE_VLR_NAME_TYPE:
ogs_assert(0 < ogs_fqdn_parse(
vlr_name, iter->value,
ogs_min(iter->length, SGSAP_IE_VLR_NAME_LEN)));
if (ogs_fqdn_parse(vlr_name, iter->value,
ogs_min(iter->length, SGSAP_IE_VLR_NAME_LEN)) <= 0) {
ogs_error("Invalid VLR-Name");
return;
}
break;
case SGSAP_IE_LAI_TYPE:
lai = iter->value;

9
src/sgwc/s11-handler.c
View File

@ -203,6 +203,12 @@ void sgwc_s11_handle_create_session_request(
if (req->access_point_name.presence == 0) {
ogs_error("No APN");
cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_MISSING;
} else {
if (ogs_fqdn_parse(apn, req->access_point_name.data,
ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN)) <= 0) {
ogs_error("Invalid APN");
cause_value = OGS_GTP2_CAUSE_MANDATORY_IE_INCORRECT;
}
}
if (req->sender_f_teid_for_control_plane.presence == 0) {
ogs_error("No Sender F-TEID");
@ -221,9 +227,6 @@ void sgwc_s11_handle_create_session_request(
}
/* Add Session */
ogs_assert(0 < ogs_fqdn_parse(apn,
req->access_point_name.data,
ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN)));
sess = sgwc_sess_find_by_ebi(sgwc_ue,
req->bearer_contexts_to_be_created[0].eps_bearer_id.u8);
if (sess) {

22
src/smf/context.c
View File

@ -1278,7 +1278,14 @@ smf_sess_t *smf_sess_add_by_gtp1_message(ogs_gtp1_message_t *message)
if (req->access_point_name.presence == 0) {
ogs_error("No APN");
return NULL;
} else {
if (ogs_fqdn_parse(apn, req->access_point_name.data,
ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN)) <= 0) {
ogs_error("Invalid APN");
return NULL;
}
}
if (req->sgsn_address_for_signalling.presence == 0) {
ogs_error("No SGSN Address for signalling");
return NULL;
@ -1296,12 +1303,6 @@ smf_sess_t *smf_sess_add_by_gtp1_message(ogs_gtp1_message_t *message)
return NULL;
}
if ((ogs_fqdn_parse(apn, req->access_point_name.data,
ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN+1))) <= 0) {
ogs_error("No APN");
return NULL;
}
ogs_trace("smf_sess_add_by_message() [APN:%s]", apn);
/*
@ -1349,15 +1350,18 @@ smf_sess_t *smf_sess_add_by_gtp2_message(ogs_gtp2_message_t *message)
if (req->access_point_name.presence == 0) {
ogs_error("No APN");
return NULL;
} else {
if (ogs_fqdn_parse(apn, req->access_point_name.data,
ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN)) <= 0) {
ogs_error("Invalid APN");
return NULL;
}
}
if (req->rat_type.presence == 0) {
ogs_error("No RAT Type");
return NULL;
}
ogs_assert(0 < ogs_fqdn_parse(apn, req->access_point_name.data,
ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN)));
ogs_trace("smf_sess_add_by_message() [APN:%s]", apn);
/*

8
src/upf/n4-handler.c
View File

@ -107,8 +107,12 @@ void upf_n4_handle_session_establishment_request(
if (req->apn_dnn.presence) {
char apn_dnn[OGS_MAX_DNN_LEN+1];
ogs_assert(0 < ogs_fqdn_parse(apn_dnn, req->apn_dnn.data,
ogs_min(req->apn_dnn.len, OGS_MAX_DNN_LEN)));
if (ogs_fqdn_parse(apn_dnn, req->apn_dnn.data,
ogs_min(req->apn_dnn.len, OGS_MAX_DNN_LEN)) <= 0) {
ogs_error("Invalid APN");
cause_value = OGS_PFCP_CAUSE_MANDATORY_IE_INCORRECT;
goto cleanup;
}
if (sess->apn_dnn)
ogs_free(sess->apn_dnn);