sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[AMF] fix crash due to malformed NGAP (#960)

This commit is contained in:
Sukchan Lee 2021-05-08 15:09:10 +09:00
parent 5ea9b22209
commit 3b19190f56
15 changed files with 23 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/gtp/xact.c
View File

@ -687,7 +687,6 @@ int ogs_gtp_xact_receive(
ogs_gtp_xact_t *ogs_gtp_xact_find(ogs_index_t index)
{
ogs_assert(index);
return ogs_pool_find(&pool, index);
}

1
lib/pfcp/xact.c
View File

@ -717,7 +717,6 @@ int ogs_pfcp_xact_receive(
ogs_pfcp_xact_t *ogs_pfcp_xact_find(ogs_index_t index)
{
ogs_assert(index);
return ogs_pool_find(&pool, index);
}

1
src/amf/context.c
View File

@ -1025,7 +1025,6 @@ ran_ue_t *ran_ue_find_by_ran_ue_ngap_id(
ran_ue_t *ran_ue_find(uint32_t index)
{
ogs_assert(index);
return ogs_pool_find(&ran_ue_pool, index);
}

7
src/amf/ngap-handler.c
View File

@ -3571,6 +3571,13 @@ void ngap_handle_ng_reset(
NGAP_CauseRadioNetwork_unknown_local_UE_NGAP_ID);
return;
}
} else {
ogs_error("No UE NGAP ID");
ngap_send_error_indication(
gnb, NULL, NULL,
NGAP_Cause_PR_protocol,
NGAP_CauseProtocol_semantic_error);
return;
}
ogs_assert(ran_ue);

3
src/amf/ngap-sctp.c
View File

@ -128,7 +128,7 @@ void ngap_recv_handler(ogs_sock_t *sock)
ogs_pkbuf_put(pkbuf, OGS_MAX_SDU_LEN);
size = ogs_sctp_recvmsg(
sock, pkbuf->data, pkbuf->len, &from, &sinfo, &flags);
if (size < 0) {
if (size < 0 || size >= OGS_MAX_SDU_LEN) {
ogs_error("ogs_sctp_recvmsg(%d) failed(%d:%s)",
size, errno, strerror(errno));
ogs_pkbuf_free(pkbuf);
@ -230,6 +230,7 @@ void ngap_recv_handler(ogs_sock_t *sock)
ngap_event_push(AMF_EVT_NGAP_MESSAGE, sock, addr, pkbuf, 0, 0);
return;
} else {
ogs_fatal("Invalid flag(0x%x)", flags);
ogs_assert_if_reached();
}

1
src/amf/sbi-path.c
View File

@ -351,6 +351,7 @@ void amf_sbi_send_deactivate_all_ue_in_gnb(amf_gnb_t *gnb, int state)
ran_ue_remove(ran_ue);
} else {
/* At this point, it does not support other action */
ogs_fatal("Invalid state [%d]", state);
ogs_assert_if_reached();
}
}

1
src/mme/mme-context.c
View File

@ -1972,7 +1972,6 @@ enb_ue_t *enb_ue_find_by_enb_ue_s1ap_id(
enb_ue_t *enb_ue_find(uint32_t index)
{
ogs_assert(index);
return ogs_pool_find(&enb_ue_pool, index);
}

3
src/mme/s1ap-sctp.c
View File

@ -128,7 +128,7 @@ void s1ap_recv_handler(ogs_sock_t *sock)
ogs_pkbuf_put(pkbuf, OGS_MAX_SDU_LEN);
size = ogs_sctp_recvmsg(
sock, pkbuf->data, pkbuf->len, &from, &sinfo, &flags);
if (size < 0) {
if (size < 0 || size >= OGS_MAX_SDU_LEN) {
ogs_error("ogs_sctp_recvmsg(%d) failed(%d:%s)",
size, errno, strerror(errno));
ogs_pkbuf_free(pkbuf);
@ -232,6 +232,7 @@ void s1ap_recv_handler(ogs_sock_t *sock)
s1ap_event_push(MME_EVT_S1AP_MESSAGE, sock, addr, pkbuf, 0, 0);
return;
} else {
ogs_fatal("Invalid flag(0x%x)", flags);
ogs_assert_if_reached();
}

3
src/mme/sgsap-sctp.c
View File

@ -101,7 +101,7 @@ static void recv_handler(ogs_sock_t *sock)
ogs_pkbuf_put(pkbuf, OGS_MAX_SDU_LEN);
size = ogs_sctp_recvmsg(
sock, pkbuf->data, pkbuf->len, &from, &sinfo, &flags);
if (size < 0) {
if (size < 0 || size >= OGS_MAX_SDU_LEN) {
ogs_error("ogs_sctp_recvmsg(%d) failed(%d:%s)",
size, errno, strerror(errno));
ogs_pkbuf_free(pkbuf);
@ -203,6 +203,7 @@ static void recv_handler(ogs_sock_t *sock)
sgsap_event_push(MME_EVT_SGSAP_MESSAGE, sock, addr, pkbuf, 0, 0);
return;
} else {
ogs_fatal("Invalid flag(0x%x)", flags);
ogs_assert_if_reached();
}
ogs_pkbuf_free(pkbuf);

1
src/sgwc/context.c
View File

@ -425,7 +425,6 @@ void sgwc_sess_remove_all(sgwc_ue_t *sgwc_ue)
sgwc_sess_t *sgwc_sess_find(uint32_t index)
{
ogs_assert(index);
return ogs_pool_find(&sgwc_sess_pool, index);
}

1
src/sgwu/context.c
View File

@ -182,7 +182,6 @@ void sgwu_sess_remove_all(void)
sgwu_sess_t *sgwu_sess_find(uint32_t index)
{
ogs_assert(index);
return ogs_pool_find(&sgwu_sess_pool, index);
}

7
src/smf/context.c
View File

@ -1446,7 +1446,6 @@ void smf_sess_remove_all(smf_ue_t *smf_ue)
smf_sess_t *smf_sess_find(uint32_t index)
{
ogs_assert(index);
return ogs_pool_find(&smf_sess_pool, index);
}
@ -1971,12 +1970,6 @@ void smf_bearer_remove_all(smf_sess_t *sess)
smf_bearer_remove(bearer);
}
smf_bearer_t *smf_bearer_find(uint32_t index)
{
ogs_assert(index);
return ogs_pool_find(&smf_bearer_pool, index);
}
smf_bearer_t *smf_bearer_find_by_pgw_s5u_teid(
smf_sess_t *sess, uint32_t pgw_s5u_teid)
{

1
src/smf/context.h
View File

@ -381,7 +381,6 @@ smf_bearer_t *smf_qos_flow_find_by_pcc_rule_id(
smf_bearer_t *smf_bearer_add(smf_sess_t *sess);
int smf_bearer_remove(smf_bearer_t *bearer);
void smf_bearer_remove_all(smf_sess_t *sess);
smf_bearer_t *smf_bearer_find(uint32_t index);
smf_bearer_t *smf_bearer_find_by_pgw_s5u_teid(
smf_sess_t *sess, uint32_t pgw_s5u_teid);
smf_bearer_t *smf_bearer_find_by_ebi(smf_sess_t *sess, uint8_t ebi);

15
src/udm/udm-sm.c
View File

@ -140,20 +140,23 @@ void udm_state_operational(ogs_fsm_t *s, udm_event_t *e)
break;
}
SWITCH(message.h.resource.component[2])
SWITCH(message.h.resource.component[1])
CASE(OGS_SBI_RESOURCE_NAME_AUTH_EVENTS)
udm_ue = udm_ue_find_by_ctx_id(
message.h.resource.component[2]);
break;
if (message.h.resource.component[2]) {
udm_ue = udm_ue_find_by_ctx_id(
message.h.resource.component[2]);
}
DEFAULT
END
if (!udm_ue) {
udm_ue = udm_ue_find_by_suci_or_supi(
message.h.resource.component[0]);
if (!udm_ue) {
udm_ue = udm_ue_add(message.h.resource.component[0]);
ogs_assert(udm_ue);
}
END
}
if (!udm_ue) {
ogs_error("Not found [%s]", message.h.method);

1
src/upf/context.c
View File

@ -201,7 +201,6 @@ void upf_sess_remove_all(void)
upf_sess_t *upf_sess_find(uint32_t index)
{
ogs_assert(index);
return ogs_pool_find(&upf_sess_pool, index);
}