sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[TLV] PFCP parser crash from FuzzingLabs (#2523)

This commit is contained in:
Sukchan Lee 2023-08-18 22:19:46 +09:00
parent fc4072590e
commit 4b0bade80e
9 changed files with 43 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/core/ogs-tlv-msg.c
View File

@ -750,7 +750,10 @@ int ogs_tlv_parse_msg(void *msg, ogs_tlv_desc_t *desc, ogs_pkbuf_t *pkbuf,
ogs_assert(pkbuf);
ogs_assert(desc->ctype == OGS_TLV_MESSAGE);
ogs_assert(desc->child_descs[0]);
if (!desc->child_descs[0]) {
ogs_fatal("No Child Descs in [%s]", desc->name);
ogs_assert_if_reached();
}
root = ogs_tlv_parse_block(pkbuf->len, pkbuf->data, mode);
if (root == NULL) {

10
lib/pfcp/context.c
View File

@ -695,7 +695,10 @@ ogs_pfcp_node_t *ogs_pfcp_node_new(ogs_sockaddr_t *sa_list)
ogs_assert(sa_list);
ogs_pool_alloc(&ogs_pfcp_node_pool, &node);
ogs_assert(node);
if (!node) {
ogs_error("No memory: ogs_pool_alloc() failed");
return NULL;
}
memset(node, 0, sizeof(ogs_pfcp_node_t));
node->sa_list = sa_list;
@ -731,6 +734,11 @@ ogs_pfcp_node_t *ogs_pfcp_node_add(
ogs_assert(OGS_OK == ogs_copyaddrinfo(&new, addr));
node = ogs_pfcp_node_new(new);
if (!node) {
ogs_error("No memory : ogs_pfcp_node_new() failed");
ogs_freeaddrinfo(new);
return NULL;
}
ogs_assert(node);
memcpy(&node->addr, new, sizeof node->addr);

8
lib/pfcp/message.c
View File

@ -20,7 +20,7 @@
/*******************************************************************************
* This file had been created by pfcp-tlv.py script v0.1.0
* Please do not modify this file but regenerate it via script.
* Created on: 2023-04-09 20:37:00.518388 by acetcom
* Created on: 2023-08-18 22:15:59.596820 by acetcom
* from 29244-h71-modified.docx
******************************************************************************/
@ -4779,9 +4779,6 @@ ogs_pfcp_message_t *ogs_pfcp_parse_msg(ogs_pkbuf_t *pkbuf)
ogs_expect(rv == OGS_OK);
break;
case OGS_PFCP_VERSION_NOT_SUPPORTED_RESPONSE_TYPE:
rv = ogs_tlv_parse_msg(&pfcp_message->pfcp_version_not_supported_response,
&ogs_pfcp_msg_desc_pfcp_version_not_supported_response, pkbuf, OGS_TLV_MODE_T2_L2);
ogs_expect(rv == OGS_OK);
break;
case OGS_PFCP_NODE_REPORT_REQUEST_TYPE:
rv = ogs_tlv_parse_msg(&pfcp_message->pfcp_node_report_request,
@ -4834,9 +4831,6 @@ ogs_pfcp_message_t *ogs_pfcp_parse_msg(ogs_pkbuf_t *pkbuf)
ogs_expect(rv == OGS_OK);
break;
case OGS_PFCP_SESSION_DELETION_REQUEST_TYPE:
rv = ogs_tlv_parse_msg(&pfcp_message->pfcp_session_deletion_request,
&ogs_pfcp_msg_desc_pfcp_session_deletion_request, pkbuf, OGS_TLV_MODE_T2_L2);
ogs_expect(rv == OGS_OK);
break;
case OGS_PFCP_SESSION_DELETION_RESPONSE_TYPE:
rv = ogs_tlv_parse_msg(&pfcp_message->pfcp_session_deletion_response,

2
lib/pfcp/message.h
View File

@ -20,7 +20,7 @@
/*******************************************************************************
* This file had been created by pfcp-tlv.py script v0.1.0
* Please do not modify this file but regenerate it via script.
* Created on: 2023-04-09 20:37:00.506639 by acetcom
* Created on: 2023-08-18 22:15:59.578047 by acetcom
* from 29244-h71-modified.docx
******************************************************************************/

7
lib/pfcp/support/pfcp-tlv.py
View File

@ -840,9 +840,10 @@ f.write("""ogs_pfcp_message_t *ogs_pfcp_parse_msg(ogs_pkbuf_t *pkbuf)
for (k, v) in sorted_msg_list:
if "ies" in msg_list[k]:
f.write(" case OGS_%s_TYPE:\n" % v_upper(k))
f.write(" rv = ogs_tlv_parse_msg(&pfcp_message->%s,\n" % v_lower(k))
f.write(" &ogs_pfcp_msg_desc_%s, pkbuf, OGS_TLV_MODE_T2_L2);\n" % v_lower(k))
f.write(" ogs_expect(rv == OGS_OK);\n")
if k != "PFCP Session Deletion Request" and k != "PFCP Version Not Supported Response":
f.write(" rv = ogs_tlv_parse_msg(&pfcp_message->%s,\n" % v_lower(k))
f.write(" &ogs_pfcp_msg_desc_%s, pkbuf, OGS_TLV_MODE_T2_L2);\n" % v_lower(k))
f.write(" ogs_expect(rv == OGS_OK);\n")
f.write(" break;\n")
f.write(""" default:
ogs_warn("Not implemented(type:%d)", pfcp_message->h.type);

7
src/sgwc/pfcp-path.c
View File

@ -105,7 +105,12 @@ static void pfcp_recv_cb(short when, ogs_socket_t fd, void *data)
node = ogs_pfcp_node_find(&ogs_pfcp_self()->pfcp_peer_list, &from);
if (!node) {
node = ogs_pfcp_node_add(&ogs_pfcp_self()->pfcp_peer_list, &from);
ogs_assert(node);
if (!node) {
ogs_error("No memory: ogs_pfcp_node_add() failed");
ogs_pkbuf_free(e->pkbuf);
ogs_event_free(e);
return;
}
node->sock = data;
pfcp_node_fsm_init(node, false);

7
src/sgwu/pfcp-path.c
View File

@ -105,7 +105,12 @@ static void pfcp_recv_cb(short when, ogs_socket_t fd, void *data)
node = ogs_pfcp_node_find(&ogs_pfcp_self()->pfcp_peer_list, &from);
if (!node) {
node = ogs_pfcp_node_add(&ogs_pfcp_self()->pfcp_peer_list, &from);
ogs_assert(node);
if (!node) {
ogs_error("No memory: ogs_pfcp_node_add() failed");
ogs_pkbuf_free(e->pkbuf);
ogs_event_free(e);
return;
}
node->sock = data;
pfcp_node_fsm_init(node, false);

7
src/smf/pfcp-path.c
View File

@ -145,7 +145,12 @@ static void pfcp_recv_cb(short when, ogs_socket_t fd, void *data)
node = ogs_pfcp_node_find(&ogs_pfcp_self()->pfcp_peer_list, &from);
if (!node) {
node = ogs_pfcp_node_add(&ogs_pfcp_self()->pfcp_peer_list, &from);
ogs_assert(node);
if (!node) {
ogs_error("No memory: ogs_pfcp_node_add() failed");
ogs_pkbuf_free(e->pkbuf);
ogs_event_free(e);
return;
}
node->sock = data;
pfcp_node_fsm_init(node, false);

7
src/upf/pfcp-path.c
View File

@ -108,7 +108,12 @@ static void pfcp_recv_cb(short when, ogs_socket_t fd, void *data)
node = ogs_pfcp_node_find(&ogs_pfcp_self()->pfcp_peer_list, &from);
if (!node) {
node = ogs_pfcp_node_add(&ogs_pfcp_self()->pfcp_peer_list, &from);
ogs_assert(node);
if (!node) {
ogs_error("No memory: ogs_pfcp_node_add() failed");
ogs_pkbuf_free(e->pkbuf);
ogs_event_free(e);
return;
}
node->sock = data;
pfcp_node_fsm_init(node, false);