From 3b19190f568f23d0c7efca06c6bcb2bad4fb279f Mon Sep 17 00:00:00 2001 From: Sukchan Lee Date: Sat, 8 May 2021 15:09:10 +0900 Subject: [PATCH] [AMF] fix crash due to malformed NGAP (#960) --- lib/gtp/xact.c | 1 - lib/pfcp/xact.c | 1 - src/amf/context.c | 1 - src/amf/ngap-handler.c | 7 +++++++ src/amf/ngap-sctp.c | 3 ++- src/amf/sbi-path.c | 1 + src/mme/mme-context.c | 1 - src/mme/s1ap-sctp.c | 3 ++- src/mme/sgsap-sctp.c | 3 ++- src/sgwc/context.c | 1 - src/sgwu/context.c | 1 - src/smf/context.c | 7 ------- src/smf/context.h | 1 - src/udm/udm-sm.c | 15 +++++++++------ src/upf/context.c | 1 - 15 files changed, 23 insertions(+), 24 deletions(-) diff --git a/lib/gtp/xact.c b/lib/gtp/xact.c index f5d15f01a..cb7dc278e 100644 --- a/lib/gtp/xact.c +++ b/lib/gtp/xact.c @@ -687,7 +687,6 @@ int ogs_gtp_xact_receive( ogs_gtp_xact_t *ogs_gtp_xact_find(ogs_index_t index) { - ogs_assert(index); return ogs_pool_find(&pool, index); } diff --git a/lib/pfcp/xact.c b/lib/pfcp/xact.c index cdfe7988c..e761f6cd6 100644 --- a/lib/pfcp/xact.c +++ b/lib/pfcp/xact.c @@ -717,7 +717,6 @@ int ogs_pfcp_xact_receive( ogs_pfcp_xact_t *ogs_pfcp_xact_find(ogs_index_t index) { - ogs_assert(index); return ogs_pool_find(&pool, index); } diff --git a/src/amf/context.c b/src/amf/context.c index c3d88ee57..6ad47ad23 100644 --- a/src/amf/context.c +++ b/src/amf/context.c @@ -1025,7 +1025,6 @@ ran_ue_t *ran_ue_find_by_ran_ue_ngap_id( ran_ue_t *ran_ue_find(uint32_t index) { - ogs_assert(index); return ogs_pool_find(&ran_ue_pool, index); } diff --git a/src/amf/ngap-handler.c b/src/amf/ngap-handler.c index f9c1783ab..e512add4e 100644 --- a/src/amf/ngap-handler.c +++ b/src/amf/ngap-handler.c @@ -3571,6 +3571,13 @@ void ngap_handle_ng_reset( NGAP_CauseRadioNetwork_unknown_local_UE_NGAP_ID); return; } + } else { + ogs_error("No UE NGAP ID"); + ngap_send_error_indication( + gnb, NULL, NULL, + NGAP_Cause_PR_protocol, + NGAP_CauseProtocol_semantic_error); + return; } ogs_assert(ran_ue); diff --git a/src/amf/ngap-sctp.c b/src/amf/ngap-sctp.c index b43a65e7c..b96e907b4 100644 --- a/src/amf/ngap-sctp.c +++ b/src/amf/ngap-sctp.c @@ -128,7 +128,7 @@ void ngap_recv_handler(ogs_sock_t *sock) ogs_pkbuf_put(pkbuf, OGS_MAX_SDU_LEN); size = ogs_sctp_recvmsg( sock, pkbuf->data, pkbuf->len, &from, &sinfo, &flags); - if (size < 0) { + if (size < 0 || size >= OGS_MAX_SDU_LEN) { ogs_error("ogs_sctp_recvmsg(%d) failed(%d:%s)", size, errno, strerror(errno)); ogs_pkbuf_free(pkbuf); @@ -230,6 +230,7 @@ void ngap_recv_handler(ogs_sock_t *sock) ngap_event_push(AMF_EVT_NGAP_MESSAGE, sock, addr, pkbuf, 0, 0); return; } else { + ogs_fatal("Invalid flag(0x%x)", flags); ogs_assert_if_reached(); } diff --git a/src/amf/sbi-path.c b/src/amf/sbi-path.c index 232db5f2b..61c331695 100644 --- a/src/amf/sbi-path.c +++ b/src/amf/sbi-path.c @@ -351,6 +351,7 @@ void amf_sbi_send_deactivate_all_ue_in_gnb(amf_gnb_t *gnb, int state) ran_ue_remove(ran_ue); } else { /* At this point, it does not support other action */ + ogs_fatal("Invalid state [%d]", state); ogs_assert_if_reached(); } } diff --git a/src/mme/mme-context.c b/src/mme/mme-context.c index cb1c38993..faed178fa 100644 --- a/src/mme/mme-context.c +++ b/src/mme/mme-context.c @@ -1972,7 +1972,6 @@ enb_ue_t *enb_ue_find_by_enb_ue_s1ap_id( enb_ue_t *enb_ue_find(uint32_t index) { - ogs_assert(index); return ogs_pool_find(&enb_ue_pool, index); } diff --git a/src/mme/s1ap-sctp.c b/src/mme/s1ap-sctp.c index 36a53c127..ed20ca38c 100644 --- a/src/mme/s1ap-sctp.c +++ b/src/mme/s1ap-sctp.c @@ -128,7 +128,7 @@ void s1ap_recv_handler(ogs_sock_t *sock) ogs_pkbuf_put(pkbuf, OGS_MAX_SDU_LEN); size = ogs_sctp_recvmsg( sock, pkbuf->data, pkbuf->len, &from, &sinfo, &flags); - if (size < 0) { + if (size < 0 || size >= OGS_MAX_SDU_LEN) { ogs_error("ogs_sctp_recvmsg(%d) failed(%d:%s)", size, errno, strerror(errno)); ogs_pkbuf_free(pkbuf); @@ -232,6 +232,7 @@ void s1ap_recv_handler(ogs_sock_t *sock) s1ap_event_push(MME_EVT_S1AP_MESSAGE, sock, addr, pkbuf, 0, 0); return; } else { + ogs_fatal("Invalid flag(0x%x)", flags); ogs_assert_if_reached(); } diff --git a/src/mme/sgsap-sctp.c b/src/mme/sgsap-sctp.c index 0f9793b43..9fb1f8288 100644 --- a/src/mme/sgsap-sctp.c +++ b/src/mme/sgsap-sctp.c @@ -101,7 +101,7 @@ static void recv_handler(ogs_sock_t *sock) ogs_pkbuf_put(pkbuf, OGS_MAX_SDU_LEN); size = ogs_sctp_recvmsg( sock, pkbuf->data, pkbuf->len, &from, &sinfo, &flags); - if (size < 0) { + if (size < 0 || size >= OGS_MAX_SDU_LEN) { ogs_error("ogs_sctp_recvmsg(%d) failed(%d:%s)", size, errno, strerror(errno)); ogs_pkbuf_free(pkbuf); @@ -203,6 +203,7 @@ static void recv_handler(ogs_sock_t *sock) sgsap_event_push(MME_EVT_SGSAP_MESSAGE, sock, addr, pkbuf, 0, 0); return; } else { + ogs_fatal("Invalid flag(0x%x)", flags); ogs_assert_if_reached(); } ogs_pkbuf_free(pkbuf); diff --git a/src/sgwc/context.c b/src/sgwc/context.c index c19d53450..0ef8e2bf5 100644 --- a/src/sgwc/context.c +++ b/src/sgwc/context.c @@ -425,7 +425,6 @@ void sgwc_sess_remove_all(sgwc_ue_t *sgwc_ue) sgwc_sess_t *sgwc_sess_find(uint32_t index) { - ogs_assert(index); return ogs_pool_find(&sgwc_sess_pool, index); } diff --git a/src/sgwu/context.c b/src/sgwu/context.c index 82ffc966f..b5e3dc269 100644 --- a/src/sgwu/context.c +++ b/src/sgwu/context.c @@ -182,7 +182,6 @@ void sgwu_sess_remove_all(void) sgwu_sess_t *sgwu_sess_find(uint32_t index) { - ogs_assert(index); return ogs_pool_find(&sgwu_sess_pool, index); } diff --git a/src/smf/context.c b/src/smf/context.c index 255ef8015..2377bcebe 100644 --- a/src/smf/context.c +++ b/src/smf/context.c @@ -1446,7 +1446,6 @@ void smf_sess_remove_all(smf_ue_t *smf_ue) smf_sess_t *smf_sess_find(uint32_t index) { - ogs_assert(index); return ogs_pool_find(&smf_sess_pool, index); } @@ -1971,12 +1970,6 @@ void smf_bearer_remove_all(smf_sess_t *sess) smf_bearer_remove(bearer); } -smf_bearer_t *smf_bearer_find(uint32_t index) -{ - ogs_assert(index); - return ogs_pool_find(&smf_bearer_pool, index); -} - smf_bearer_t *smf_bearer_find_by_pgw_s5u_teid( smf_sess_t *sess, uint32_t pgw_s5u_teid) { diff --git a/src/smf/context.h b/src/smf/context.h index ac2514fc7..81b3083ed 100644 --- a/src/smf/context.h +++ b/src/smf/context.h @@ -381,7 +381,6 @@ smf_bearer_t *smf_qos_flow_find_by_pcc_rule_id( smf_bearer_t *smf_bearer_add(smf_sess_t *sess); int smf_bearer_remove(smf_bearer_t *bearer); void smf_bearer_remove_all(smf_sess_t *sess); -smf_bearer_t *smf_bearer_find(uint32_t index); smf_bearer_t *smf_bearer_find_by_pgw_s5u_teid( smf_sess_t *sess, uint32_t pgw_s5u_teid); smf_bearer_t *smf_bearer_find_by_ebi(smf_sess_t *sess, uint8_t ebi); diff --git a/src/udm/udm-sm.c b/src/udm/udm-sm.c index c042b7126..46d4d836b 100644 --- a/src/udm/udm-sm.c +++ b/src/udm/udm-sm.c @@ -140,20 +140,23 @@ void udm_state_operational(ogs_fsm_t *s, udm_event_t *e) break; } - SWITCH(message.h.resource.component[2]) + SWITCH(message.h.resource.component[1]) CASE(OGS_SBI_RESOURCE_NAME_AUTH_EVENTS) - udm_ue = udm_ue_find_by_ctx_id( - message.h.resource.component[2]); - break; - + if (message.h.resource.component[2]) { + udm_ue = udm_ue_find_by_ctx_id( + message.h.resource.component[2]); + } DEFAULT + END + + if (!udm_ue) { udm_ue = udm_ue_find_by_suci_or_supi( message.h.resource.component[0]); if (!udm_ue) { udm_ue = udm_ue_add(message.h.resource.component[0]); ogs_assert(udm_ue); } - END + } if (!udm_ue) { ogs_error("Not found [%s]", message.h.method); diff --git a/src/upf/context.c b/src/upf/context.c index a18e03d56..750502745 100644 --- a/src/upf/context.c +++ b/src/upf/context.c @@ -201,7 +201,6 @@ void upf_sess_remove_all(void) upf_sess_t *upf_sess_find(uint32_t index) { - ogs_assert(index); return ogs_pool_find(&upf_sess_pool, index); }