sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

CVE-2021-41794 from NCC Group by Mark Tedman 

When connecting to the UPF port for the PFCP protocol (8805) and sending
an association setup request followed by a session establishment request
with a PDI Network Instance set to ‘internet’, it causes a stack corruption
to occur.

So, ogs_fqdn_parse() fixed.
This commit is contained in:
Sukchan Lee 2021-10-01 22:41:03 +09:00
parent 7dcde91057
commit 13f1b390ae
21 changed files with 50 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/core/ogs-3gpp-types.c
View File

@ -326,6 +326,11 @@ int ogs_fqdn_parse(char *dst, char *src, int length)
do {
len = src[i++];
if ((j + len + 1) > length) {
ogs_error("Invalid APN encoding[len:%d] + 1 > length[%d]",
len, length);
return 0;
}
memcpy(&dst[j], &src[i], len);
i += len;

2
lib/nas/5gs/decoder.c
View File

@ -28,7 +28,7 @@
/*******************************************************************************
* This file had been created by nas-message.py script v0.2.0
* Please do not modify this file but regenerate it via script.
* Created on: 2021-06-21 14:15:53.792358 by acetcom
* Created on: 2021-10-01 22:38:42.729397 by acetcom
* from 24501-g41.docx
******************************************************************************/

2
lib/nas/5gs/encoder.c
View File

@ -28,7 +28,7 @@
/*******************************************************************************
* This file had been created by nas-message.py script v0.2.0
* Please do not modify this file but regenerate it via script.
* Created on: 2021-06-21 14:15:53.800337 by acetcom
* Created on: 2021-10-01 22:38:42.737852 by acetcom
* from 24501-g41.docx
******************************************************************************/

5
lib/nas/5gs/ies.c
View File

@ -28,7 +28,7 @@
/*******************************************************************************
* This file had been created by nas-message.py script v0.2.0
* Please do not modify this file but regenerate it via script.
* Created on: 2021-06-21 14:15:53.780969 by acetcom
* Created on: 2021-10-01 22:38:42.717226 by acetcom
* from 24501-g41.docx
******************************************************************************/
@ -136,7 +136,8 @@ int ogs_nas_5gs_decode_dnn(ogs_nas_dnn_t *dnn, ogs_pkbuf_t *pkbuf)
{
char data_network_name[OGS_MAX_DNN_LEN];
dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, dnn->length);
dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, ogs_min(dnn->length, OGS_MAX_DNN_LEN+1));
ogs_assert(dnn->length > 0);
ogs_cpystrn(dnn->value, data_network_name, ogs_min(dnn->length, OGS_MAX_DNN_LEN) + 1);
}

2
lib/nas/5gs/ies.h
View File

@ -28,7 +28,7 @@
/*******************************************************************************
* This file had been created by nas-message.py script v0.2.0
* Please do not modify this file but regenerate it via script.
* Created on: 2021-06-21 14:15:53.779048 by acetcom
* Created on: 2021-10-01 22:38:42.715187 by acetcom
* from 24501-g41.docx
******************************************************************************/

2
lib/nas/5gs/message.h
View File

@ -28,7 +28,7 @@
/*******************************************************************************
* This file had been created by nas-message.py script v0.2.0
* Please do not modify this file but regenerate it via script.
* Created on: 2021-06-21 14:15:53.787309 by acetcom
* Created on: 2021-10-01 22:38:42.724015 by acetcom
* from 24501-g41.docx
******************************************************************************/

3
lib/nas/5gs/support/type-list.py
View File

@ -29,7 +29,8 @@ type_list["Header compression configuration"]["encode"] = \
type_list["DNN"]["decode"] = \
" {\n" \
" char data_network_name[OGS_MAX_DNN_LEN];\n" \
" dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, dnn->length);\n" \
" dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, ogs_min(dnn->length, OGS_MAX_DNN_LEN+1));\n" \
" ogs_assert(dnn->length > 0);\n" \
" ogs_cpystrn(dnn->value, data_network_name, ogs_min(dnn->length, OGS_MAX_DNN_LEN) + 1);\n" \
" }\n\n"

2
lib/nas/eps/decoder.c
View File

@ -28,7 +28,7 @@
/*******************************************************************************
* This file had been created by nas-message.py script v0.1.0
* Please do not modify this file but regenerate it via script.
* Created on: 2021-06-21 14:44:53.381858 by acetcom
* Created on: 2021-10-01 22:40:09.595336 by acetcom
* from 24301-g40.docx
******************************************************************************/

2
lib/nas/eps/encoder.c
View File

@ -28,7 +28,7 @@
/*******************************************************************************
* This file had been created by nas-message.py script v0.1.0
* Please do not modify this file but regenerate it via script.
* Created on: 2021-06-21 14:44:53.390608 by acetcom
* Created on: 2021-10-01 22:40:09.604726 by acetcom
* from 24301-g40.docx
******************************************************************************/

5
lib/nas/eps/ies.c
View File

@ -28,7 +28,7 @@
/*******************************************************************************
* This file had been created by nas-message.py script v0.1.0
* Please do not modify this file but regenerate it via script.
* Created on: 2021-06-21 14:44:53.370878 by acetcom
* Created on: 2021-10-01 22:40:09.583395 by acetcom
* from 24301-g40.docx
******************************************************************************/
@ -3014,7 +3014,8 @@ int ogs_nas_eps_decode_access_point_name(ogs_nas_access_point_name_t *access_poi
{
char apn[OGS_MAX_APN_LEN];
access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, access_point_name->length);
access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN+1));
ogs_assert(access_point_name->length > 0);
ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN) + 1);
}

2
lib/nas/eps/ies.h
View File

@ -28,7 +28,7 @@
/*******************************************************************************
* This file had been created by nas-message.py script v0.1.0
* Please do not modify this file but regenerate it via script.
* Created on: 2021-06-21 14:44:53.369156 by acetcom
* Created on: 2021-10-01 22:40:09.581571 by acetcom
* from 24301-g40.docx
******************************************************************************/

2
lib/nas/eps/message.h
View File

@ -28,7 +28,7 @@
/*******************************************************************************
* This file had been created by nas-message.py script v0.1.0
* Please do not modify this file but regenerate it via script.
* Created on: 2021-06-21 14:44:53.375891 by acetcom
* Created on: 2021-10-01 22:40:09.588825 by acetcom
* from 24301-g40.docx
******************************************************************************/

3
lib/nas/eps/support/type-list.py
View File

@ -71,7 +71,8 @@ type_list["Short MAC"]["encode"] = \
type_list["Access point name"]["decode"] = \
" {\n" \
" char apn[OGS_MAX_APN_LEN];\n" \
" access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, access_point_name->length);\n" \
" access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN+1));\n" \
" ogs_assert(access_point_name->length > 0);\n" \
" ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN) + 1);\n" \
" }\n\n"

8
lib/pfcp/handler.c
View File

@ -418,9 +418,9 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_create_pdr(ogs_pfcp_sess_t *sess,
if (message->pdi.network_instance.presence) {
char dnn[OGS_MAX_DNN_LEN];
ogs_fqdn_parse(dnn,
ogs_assert(0 < ogs_fqdn_parse(dnn,
message->pdi.network_instance.data,
message->pdi.network_instance.len);
ogs_min(message->pdi.network_instance.len, OGS_MAX_DNN_LEN+1)));
pdr->dnn = ogs_strdup(dnn);
ogs_assert(pdr->dnn);
@ -658,9 +658,9 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_update_pdr(ogs_pfcp_sess_t *sess,
if (message->pdi.network_instance.presence) {
char dnn[OGS_MAX_DNN_LEN];
ogs_fqdn_parse(dnn,
ogs_assert(0 < ogs_fqdn_parse(dnn,
message->pdi.network_instance.data,
message->pdi.network_instance.len);
ogs_min(message->pdi.network_instance.len, OGS_MAX_DNN_LEN+1)));
if (pdr->dnn)
ogs_free(pdr->dnn);

4
lib/pfcp/types.c
View File

@ -173,7 +173,9 @@ int16_t ogs_pfcp_parse_user_plane_ip_resource_info(
int len = octet->len - size;
if (info->assosi) len--;
ogs_fqdn_parse(info->network_instance, (char *)octet->data + size, len);
ogs_assert(0 < ogs_fqdn_parse(
info->network_instance, (char *)octet->data + size,
ogs_min(len, OGS_MAX_APN_LEN+1)));
size += len;
}

10
lib/sbi/nnrf-handler.c
View File

@ -248,8 +248,9 @@ bool ogs_sbi_nnrf_handle_nf_profile(ogs_sbi_nf_instance_t *nf_instance,
nf_instance->time.heartbeat_interval = NFProfile->heart_beat_timer;
if (NFProfile->fqdn)
ogs_fqdn_parse(nf_instance->fqdn,
NFProfile->fqdn, strlen(NFProfile->fqdn));
ogs_assert(0 < ogs_fqdn_parse(
nf_instance->fqdn, NFProfile->fqdn,
ogs_min(strlen(NFProfile->fqdn), OGS_MAX_FQDN_LEN+1)));
if (NFProfile->is_priority == true)
nf_instance->priority = NFProfile->priority;
@ -328,8 +329,9 @@ bool ogs_sbi_nnrf_handle_nf_profile(ogs_sbi_nf_instance_t *nf_instance,
}
if (NFService->fqdn)
ogs_fqdn_parse(nf_service->fqdn,
NFService->fqdn, strlen(NFService->fqdn));
ogs_assert(0 < ogs_fqdn_parse(
nf_service->fqdn, NFService->fqdn,
ogs_min(strlen(NFService->fqdn), OGS_MAX_FQDN_LEN+1)));
OpenAPI_list_for_each(IpEndPointList, node2) {
OpenAPI_ip_end_point_t *IpEndPoint = node2->data;

7
src/bsf/nbsf-handler.c
View File

@ -101,9 +101,10 @@ bool bsf_nbsf_management_handle_pcf_binding(
bsf_sess_set_ipv6prefix(sess, RecvPcfBinding->ipv6_prefix);
if (RecvPcfBinding->pcf_fqdn) {
ogs_fqdn_parse(fqdn,
RecvPcfBinding->pcf_fqdn,
strlen(RecvPcfBinding->pcf_fqdn));
ogs_assert(0 < ogs_fqdn_parse(
fqdn, RecvPcfBinding->pcf_fqdn,
ogs_min(strlen(RecvPcfBinding->pcf_fqdn),
OGS_MAX_FQDN_LEN+1)));
if (sess->pcf_fqdn)
ogs_free(sess->pcf_fqdn);

4
src/mme/sgsap-handler.c
View File

@ -286,7 +286,9 @@ void sgsap_handle_paging_request(mme_vlr_t *vlr, ogs_pkbuf_t *pkbuf)
nas_mobile_identity_imsi_len = iter->length;
break;
case SGSAP_IE_VLR_NAME_TYPE:
ogs_fqdn_parse(vlr_name, iter->value, iter->length);
ogs_assert(0 < ogs_fqdn_parse(
vlr_name, iter->value,
ogs_min(iter->length, SGSAP_IE_VLR_NAME_LEN+1)));
break;
case SGSAP_IE_LAI_TYPE:
lai = iter->value;

5
src/sgwc/s11-handler.c
View File

@ -189,8 +189,9 @@ void sgwc_s11_handle_create_session_request(
}
/* Add Session */
ogs_fqdn_parse(apn,
req->access_point_name.data, req->access_point_name.len);
ogs_assert(0 < ogs_fqdn_parse(apn,
req->access_point_name.data,
ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN+1)));
sess = sgwc_sess_find_by_ebi(sgwc_ue,
req->bearer_contexts_to_be_created.eps_bearer_id.u8);
if (sess) {

4
src/smf/context.c
View File

@ -1036,8 +1036,8 @@ smf_sess_t *smf_sess_add_by_gtp_message(ogs_gtp_message_t *message)
return NULL;
}
ogs_fqdn_parse(apn,
req->access_point_name.data, req->access_point_name.len);
ogs_assert(0 < ogs_fqdn_parse(apn, req->access_point_name.data,
ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN+1)));
ogs_trace("smf_sess_add_by_message() [APN:%s]", apn);

5
tests/af/nbsf-handler.c
View File

@ -44,9 +44,8 @@ void af_nbsf_management_handle_pcf_binding(
}
if (PcfBinding->pcf_fqdn) {
ogs_fqdn_parse(fqdn,
PcfBinding->pcf_fqdn,
strlen(PcfBinding->pcf_fqdn));
ogs_assert(0 < ogs_fqdn_parse(fqdn, PcfBinding->pcf_fqdn,
ogs_min(strlen(PcfBinding->pcf_fqdn), OGS_MAX_FQDN_LEN+1)));
if (sess->pcf.fqdn)
ogs_free(sess->pcf.fqdn);
sess->pcf.fqdn = ogs_strdup(fqdn);