forked from acouzens/open5gs
CVE-2021-41794 from NCC Group by Mark Tedman
When connecting to the UPF port for the PFCP protocol (8805) and sending an association setup request followed by a session establishment request with a PDI Network Instance set to ‘internet’, it causes a stack corruption to occur. So, ogs_fqdn_parse() fixed.
This commit is contained in:
parent
7dcde91057
commit
13f1b390ae
|
@ -326,6 +326,11 @@ int ogs_fqdn_parse(char *dst, char *src, int length)
|
|||
|
||||
do {
|
||||
len = src[i++];
|
||||
if ((j + len + 1) > length) {
|
||||
ogs_error("Invalid APN encoding[len:%d] + 1 > length[%d]",
|
||||
len, length);
|
||||
return 0;
|
||||
}
|
||||
memcpy(&dst[j], &src[i], len);
|
||||
|
||||
i += len;
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.2.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-06-21 14:15:53.792358 by acetcom
|
||||
* Created on: 2021-10-01 22:38:42.729397 by acetcom
|
||||
* from 24501-g41.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.2.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-06-21 14:15:53.800337 by acetcom
|
||||
* Created on: 2021-10-01 22:38:42.737852 by acetcom
|
||||
* from 24501-g41.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.2.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-06-21 14:15:53.780969 by acetcom
|
||||
* Created on: 2021-10-01 22:38:42.717226 by acetcom
|
||||
* from 24501-g41.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
@ -136,7 +136,8 @@ int ogs_nas_5gs_decode_dnn(ogs_nas_dnn_t *dnn, ogs_pkbuf_t *pkbuf)
|
|||
|
||||
{
|
||||
char data_network_name[OGS_MAX_DNN_LEN];
|
||||
dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, dnn->length);
|
||||
dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, ogs_min(dnn->length, OGS_MAX_DNN_LEN+1));
|
||||
ogs_assert(dnn->length > 0);
|
||||
ogs_cpystrn(dnn->value, data_network_name, ogs_min(dnn->length, OGS_MAX_DNN_LEN) + 1);
|
||||
}
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.2.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-06-21 14:15:53.779048 by acetcom
|
||||
* Created on: 2021-10-01 22:38:42.715187 by acetcom
|
||||
* from 24501-g41.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.2.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-06-21 14:15:53.787309 by acetcom
|
||||
* Created on: 2021-10-01 22:38:42.724015 by acetcom
|
||||
* from 24501-g41.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
|
|
@ -29,7 +29,8 @@ type_list["Header compression configuration"]["encode"] = \
|
|||
type_list["DNN"]["decode"] = \
|
||||
" {\n" \
|
||||
" char data_network_name[OGS_MAX_DNN_LEN];\n" \
|
||||
" dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, dnn->length);\n" \
|
||||
" dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, ogs_min(dnn->length, OGS_MAX_DNN_LEN+1));\n" \
|
||||
" ogs_assert(dnn->length > 0);\n" \
|
||||
" ogs_cpystrn(dnn->value, data_network_name, ogs_min(dnn->length, OGS_MAX_DNN_LEN) + 1);\n" \
|
||||
" }\n\n"
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.1.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-06-21 14:44:53.381858 by acetcom
|
||||
* Created on: 2021-10-01 22:40:09.595336 by acetcom
|
||||
* from 24301-g40.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.1.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-06-21 14:44:53.390608 by acetcom
|
||||
* Created on: 2021-10-01 22:40:09.604726 by acetcom
|
||||
* from 24301-g40.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.1.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-06-21 14:44:53.370878 by acetcom
|
||||
* Created on: 2021-10-01 22:40:09.583395 by acetcom
|
||||
* from 24301-g40.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
@ -3014,7 +3014,8 @@ int ogs_nas_eps_decode_access_point_name(ogs_nas_access_point_name_t *access_poi
|
|||
|
||||
{
|
||||
char apn[OGS_MAX_APN_LEN];
|
||||
access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, access_point_name->length);
|
||||
access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN+1));
|
||||
ogs_assert(access_point_name->length > 0);
|
||||
ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN) + 1);
|
||||
}
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.1.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-06-21 14:44:53.369156 by acetcom
|
||||
* Created on: 2021-10-01 22:40:09.581571 by acetcom
|
||||
* from 24301-g40.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
/*******************************************************************************
|
||||
* This file had been created by nas-message.py script v0.1.0
|
||||
* Please do not modify this file but regenerate it via script.
|
||||
* Created on: 2021-06-21 14:44:53.375891 by acetcom
|
||||
* Created on: 2021-10-01 22:40:09.588825 by acetcom
|
||||
* from 24301-g40.docx
|
||||
******************************************************************************/
|
||||
|
||||
|
|
|
@ -71,7 +71,8 @@ type_list["Short MAC"]["encode"] = \
|
|||
type_list["Access point name"]["decode"] = \
|
||||
" {\n" \
|
||||
" char apn[OGS_MAX_APN_LEN];\n" \
|
||||
" access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, access_point_name->length);\n" \
|
||||
" access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN+1));\n" \
|
||||
" ogs_assert(access_point_name->length > 0);\n" \
|
||||
" ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN) + 1);\n" \
|
||||
" }\n\n"
|
||||
|
||||
|
|
|
@ -418,9 +418,9 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_create_pdr(ogs_pfcp_sess_t *sess,
|
|||
if (message->pdi.network_instance.presence) {
|
||||
char dnn[OGS_MAX_DNN_LEN];
|
||||
|
||||
ogs_fqdn_parse(dnn,
|
||||
ogs_assert(0 < ogs_fqdn_parse(dnn,
|
||||
message->pdi.network_instance.data,
|
||||
message->pdi.network_instance.len);
|
||||
ogs_min(message->pdi.network_instance.len, OGS_MAX_DNN_LEN+1)));
|
||||
|
||||
pdr->dnn = ogs_strdup(dnn);
|
||||
ogs_assert(pdr->dnn);
|
||||
|
@ -658,9 +658,9 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_update_pdr(ogs_pfcp_sess_t *sess,
|
|||
if (message->pdi.network_instance.presence) {
|
||||
char dnn[OGS_MAX_DNN_LEN];
|
||||
|
||||
ogs_fqdn_parse(dnn,
|
||||
ogs_assert(0 < ogs_fqdn_parse(dnn,
|
||||
message->pdi.network_instance.data,
|
||||
message->pdi.network_instance.len);
|
||||
ogs_min(message->pdi.network_instance.len, OGS_MAX_DNN_LEN+1)));
|
||||
|
||||
if (pdr->dnn)
|
||||
ogs_free(pdr->dnn);
|
||||
|
|
|
@ -173,7 +173,9 @@ int16_t ogs_pfcp_parse_user_plane_ip_resource_info(
|
|||
int len = octet->len - size;
|
||||
if (info->assosi) len--;
|
||||
|
||||
ogs_fqdn_parse(info->network_instance, (char *)octet->data + size, len);
|
||||
ogs_assert(0 < ogs_fqdn_parse(
|
||||
info->network_instance, (char *)octet->data + size,
|
||||
ogs_min(len, OGS_MAX_APN_LEN+1)));
|
||||
size += len;
|
||||
}
|
||||
|
||||
|
|
|
@ -248,8 +248,9 @@ bool ogs_sbi_nnrf_handle_nf_profile(ogs_sbi_nf_instance_t *nf_instance,
|
|||
nf_instance->time.heartbeat_interval = NFProfile->heart_beat_timer;
|
||||
|
||||
if (NFProfile->fqdn)
|
||||
ogs_fqdn_parse(nf_instance->fqdn,
|
||||
NFProfile->fqdn, strlen(NFProfile->fqdn));
|
||||
ogs_assert(0 < ogs_fqdn_parse(
|
||||
nf_instance->fqdn, NFProfile->fqdn,
|
||||
ogs_min(strlen(NFProfile->fqdn), OGS_MAX_FQDN_LEN+1)));
|
||||
|
||||
if (NFProfile->is_priority == true)
|
||||
nf_instance->priority = NFProfile->priority;
|
||||
|
@ -328,8 +329,9 @@ bool ogs_sbi_nnrf_handle_nf_profile(ogs_sbi_nf_instance_t *nf_instance,
|
|||
}
|
||||
|
||||
if (NFService->fqdn)
|
||||
ogs_fqdn_parse(nf_service->fqdn,
|
||||
NFService->fqdn, strlen(NFService->fqdn));
|
||||
ogs_assert(0 < ogs_fqdn_parse(
|
||||
nf_service->fqdn, NFService->fqdn,
|
||||
ogs_min(strlen(NFService->fqdn), OGS_MAX_FQDN_LEN+1)));
|
||||
|
||||
OpenAPI_list_for_each(IpEndPointList, node2) {
|
||||
OpenAPI_ip_end_point_t *IpEndPoint = node2->data;
|
||||
|
|
|
@ -101,9 +101,10 @@ bool bsf_nbsf_management_handle_pcf_binding(
|
|||
bsf_sess_set_ipv6prefix(sess, RecvPcfBinding->ipv6_prefix);
|
||||
|
||||
if (RecvPcfBinding->pcf_fqdn) {
|
||||
ogs_fqdn_parse(fqdn,
|
||||
RecvPcfBinding->pcf_fqdn,
|
||||
strlen(RecvPcfBinding->pcf_fqdn));
|
||||
ogs_assert(0 < ogs_fqdn_parse(
|
||||
fqdn, RecvPcfBinding->pcf_fqdn,
|
||||
ogs_min(strlen(RecvPcfBinding->pcf_fqdn),
|
||||
OGS_MAX_FQDN_LEN+1)));
|
||||
|
||||
if (sess->pcf_fqdn)
|
||||
ogs_free(sess->pcf_fqdn);
|
||||
|
|
|
@ -286,7 +286,9 @@ void sgsap_handle_paging_request(mme_vlr_t *vlr, ogs_pkbuf_t *pkbuf)
|
|||
nas_mobile_identity_imsi_len = iter->length;
|
||||
break;
|
||||
case SGSAP_IE_VLR_NAME_TYPE:
|
||||
ogs_fqdn_parse(vlr_name, iter->value, iter->length);
|
||||
ogs_assert(0 < ogs_fqdn_parse(
|
||||
vlr_name, iter->value,
|
||||
ogs_min(iter->length, SGSAP_IE_VLR_NAME_LEN+1)));
|
||||
break;
|
||||
case SGSAP_IE_LAI_TYPE:
|
||||
lai = iter->value;
|
||||
|
|
|
@ -189,8 +189,9 @@ void sgwc_s11_handle_create_session_request(
|
|||
}
|
||||
|
||||
/* Add Session */
|
||||
ogs_fqdn_parse(apn,
|
||||
req->access_point_name.data, req->access_point_name.len);
|
||||
ogs_assert(0 < ogs_fqdn_parse(apn,
|
||||
req->access_point_name.data,
|
||||
ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN+1)));
|
||||
sess = sgwc_sess_find_by_ebi(sgwc_ue,
|
||||
req->bearer_contexts_to_be_created.eps_bearer_id.u8);
|
||||
if (sess) {
|
||||
|
|
|
@ -1036,8 +1036,8 @@ smf_sess_t *smf_sess_add_by_gtp_message(ogs_gtp_message_t *message)
|
|||
return NULL;
|
||||
}
|
||||
|
||||
ogs_fqdn_parse(apn,
|
||||
req->access_point_name.data, req->access_point_name.len);
|
||||
ogs_assert(0 < ogs_fqdn_parse(apn, req->access_point_name.data,
|
||||
ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN+1)));
|
||||
|
||||
ogs_trace("smf_sess_add_by_message() [APN:%s]", apn);
|
||||
|
||||
|
|
|
@ -44,9 +44,8 @@ void af_nbsf_management_handle_pcf_binding(
|
|||
}
|
||||
|
||||
if (PcfBinding->pcf_fqdn) {
|
||||
ogs_fqdn_parse(fqdn,
|
||||
PcfBinding->pcf_fqdn,
|
||||
strlen(PcfBinding->pcf_fqdn));
|
||||
ogs_assert(0 < ogs_fqdn_parse(fqdn, PcfBinding->pcf_fqdn,
|
||||
ogs_min(strlen(PcfBinding->pcf_fqdn), OGS_MAX_FQDN_LEN+1)));
|
||||
if (sess->pcf.fqdn)
|
||||
ogs_free(sess->pcf.fqdn);
|
||||
sess->pcf.fqdn = ogs_strdup(fqdn);
|
||||
|
|
Loading…
Reference in New Issue