From 4b0bade80e235574b0d94c94c2ffdff4bab58e97 Mon Sep 17 00:00:00 2001 From: Sukchan Lee Date: Fri, 18 Aug 2023 22:19:46 +0900 Subject: [PATCH] [TLV] PFCP parser crash from FuzzingLabs (#2523) --- lib/core/ogs-tlv-msg.c | 5 ++++- lib/pfcp/context.c | 10 +++++++++- lib/pfcp/message.c | 8 +------- lib/pfcp/message.h | 2 +- lib/pfcp/support/pfcp-tlv.py | 7 ++++--- src/sgwc/pfcp-path.c | 7 ++++++- src/sgwu/pfcp-path.c | 7 ++++++- src/smf/pfcp-path.c | 7 ++++++- src/upf/pfcp-path.c | 7 ++++++- 9 files changed, 43 insertions(+), 17 deletions(-) diff --git a/lib/core/ogs-tlv-msg.c b/lib/core/ogs-tlv-msg.c index 16cae75c3..37936bf46 100644 --- a/lib/core/ogs-tlv-msg.c +++ b/lib/core/ogs-tlv-msg.c @@ -750,7 +750,10 @@ int ogs_tlv_parse_msg(void *msg, ogs_tlv_desc_t *desc, ogs_pkbuf_t *pkbuf, ogs_assert(pkbuf); ogs_assert(desc->ctype == OGS_TLV_MESSAGE); - ogs_assert(desc->child_descs[0]); + if (!desc->child_descs[0]) { + ogs_fatal("No Child Descs in [%s]", desc->name); + ogs_assert_if_reached(); + } root = ogs_tlv_parse_block(pkbuf->len, pkbuf->data, mode); if (root == NULL) { diff --git a/lib/pfcp/context.c b/lib/pfcp/context.c index 5f085c687..23c3531e0 100644 --- a/lib/pfcp/context.c +++ b/lib/pfcp/context.c @@ -695,7 +695,10 @@ ogs_pfcp_node_t *ogs_pfcp_node_new(ogs_sockaddr_t *sa_list) ogs_assert(sa_list); ogs_pool_alloc(&ogs_pfcp_node_pool, &node); - ogs_assert(node); + if (!node) { + ogs_error("No memory: ogs_pool_alloc() failed"); + return NULL; + } memset(node, 0, sizeof(ogs_pfcp_node_t)); node->sa_list = sa_list; @@ -731,6 +734,11 @@ ogs_pfcp_node_t *ogs_pfcp_node_add( ogs_assert(OGS_OK == ogs_copyaddrinfo(&new, addr)); node = ogs_pfcp_node_new(new); + if (!node) { + ogs_error("No memory : ogs_pfcp_node_new() failed"); + ogs_freeaddrinfo(new); + return NULL; + } ogs_assert(node); memcpy(&node->addr, new, sizeof node->addr); diff --git a/lib/pfcp/message.c b/lib/pfcp/message.c index 63fc780cd..efde7b333 100644 --- a/lib/pfcp/message.c +++ b/lib/pfcp/message.c @@ -20,7 +20,7 @@ /******************************************************************************* * This file had been created by pfcp-tlv.py script v0.1.0 * Please do not modify this file but regenerate it via script. - * Created on: 2023-04-09 20:37:00.518388 by acetcom + * Created on: 2023-08-18 22:15:59.596820 by acetcom * from 29244-h71-modified.docx ******************************************************************************/ @@ -4779,9 +4779,6 @@ ogs_pfcp_message_t *ogs_pfcp_parse_msg(ogs_pkbuf_t *pkbuf) ogs_expect(rv == OGS_OK); break; case OGS_PFCP_VERSION_NOT_SUPPORTED_RESPONSE_TYPE: - rv = ogs_tlv_parse_msg(&pfcp_message->pfcp_version_not_supported_response, - &ogs_pfcp_msg_desc_pfcp_version_not_supported_response, pkbuf, OGS_TLV_MODE_T2_L2); - ogs_expect(rv == OGS_OK); break; case OGS_PFCP_NODE_REPORT_REQUEST_TYPE: rv = ogs_tlv_parse_msg(&pfcp_message->pfcp_node_report_request, @@ -4834,9 +4831,6 @@ ogs_pfcp_message_t *ogs_pfcp_parse_msg(ogs_pkbuf_t *pkbuf) ogs_expect(rv == OGS_OK); break; case OGS_PFCP_SESSION_DELETION_REQUEST_TYPE: - rv = ogs_tlv_parse_msg(&pfcp_message->pfcp_session_deletion_request, - &ogs_pfcp_msg_desc_pfcp_session_deletion_request, pkbuf, OGS_TLV_MODE_T2_L2); - ogs_expect(rv == OGS_OK); break; case OGS_PFCP_SESSION_DELETION_RESPONSE_TYPE: rv = ogs_tlv_parse_msg(&pfcp_message->pfcp_session_deletion_response, diff --git a/lib/pfcp/message.h b/lib/pfcp/message.h index e31e26702..e10796db4 100644 --- a/lib/pfcp/message.h +++ b/lib/pfcp/message.h @@ -20,7 +20,7 @@ /******************************************************************************* * This file had been created by pfcp-tlv.py script v0.1.0 * Please do not modify this file but regenerate it via script. - * Created on: 2023-04-09 20:37:00.506639 by acetcom + * Created on: 2023-08-18 22:15:59.578047 by acetcom * from 29244-h71-modified.docx ******************************************************************************/ diff --git a/lib/pfcp/support/pfcp-tlv.py b/lib/pfcp/support/pfcp-tlv.py index bbeac762b..671b81640 100644 --- a/lib/pfcp/support/pfcp-tlv.py +++ b/lib/pfcp/support/pfcp-tlv.py @@ -840,9 +840,10 @@ f.write("""ogs_pfcp_message_t *ogs_pfcp_parse_msg(ogs_pkbuf_t *pkbuf) for (k, v) in sorted_msg_list: if "ies" in msg_list[k]: f.write(" case OGS_%s_TYPE:\n" % v_upper(k)) - f.write(" rv = ogs_tlv_parse_msg(&pfcp_message->%s,\n" % v_lower(k)) - f.write(" &ogs_pfcp_msg_desc_%s, pkbuf, OGS_TLV_MODE_T2_L2);\n" % v_lower(k)) - f.write(" ogs_expect(rv == OGS_OK);\n") + if k != "PFCP Session Deletion Request" and k != "PFCP Version Not Supported Response": + f.write(" rv = ogs_tlv_parse_msg(&pfcp_message->%s,\n" % v_lower(k)) + f.write(" &ogs_pfcp_msg_desc_%s, pkbuf, OGS_TLV_MODE_T2_L2);\n" % v_lower(k)) + f.write(" ogs_expect(rv == OGS_OK);\n") f.write(" break;\n") f.write(""" default: ogs_warn("Not implemented(type:%d)", pfcp_message->h.type); diff --git a/src/sgwc/pfcp-path.c b/src/sgwc/pfcp-path.c index e737a4442..fa5c9f505 100644 --- a/src/sgwc/pfcp-path.c +++ b/src/sgwc/pfcp-path.c @@ -105,7 +105,12 @@ static void pfcp_recv_cb(short when, ogs_socket_t fd, void *data) node = ogs_pfcp_node_find(&ogs_pfcp_self()->pfcp_peer_list, &from); if (!node) { node = ogs_pfcp_node_add(&ogs_pfcp_self()->pfcp_peer_list, &from); - ogs_assert(node); + if (!node) { + ogs_error("No memory: ogs_pfcp_node_add() failed"); + ogs_pkbuf_free(e->pkbuf); + ogs_event_free(e); + return; + } node->sock = data; pfcp_node_fsm_init(node, false); diff --git a/src/sgwu/pfcp-path.c b/src/sgwu/pfcp-path.c index f3a08c072..d9f423bbf 100644 --- a/src/sgwu/pfcp-path.c +++ b/src/sgwu/pfcp-path.c @@ -105,7 +105,12 @@ static void pfcp_recv_cb(short when, ogs_socket_t fd, void *data) node = ogs_pfcp_node_find(&ogs_pfcp_self()->pfcp_peer_list, &from); if (!node) { node = ogs_pfcp_node_add(&ogs_pfcp_self()->pfcp_peer_list, &from); - ogs_assert(node); + if (!node) { + ogs_error("No memory: ogs_pfcp_node_add() failed"); + ogs_pkbuf_free(e->pkbuf); + ogs_event_free(e); + return; + } node->sock = data; pfcp_node_fsm_init(node, false); diff --git a/src/smf/pfcp-path.c b/src/smf/pfcp-path.c index 4a1ed2b6b..272e2b484 100644 --- a/src/smf/pfcp-path.c +++ b/src/smf/pfcp-path.c @@ -145,7 +145,12 @@ static void pfcp_recv_cb(short when, ogs_socket_t fd, void *data) node = ogs_pfcp_node_find(&ogs_pfcp_self()->pfcp_peer_list, &from); if (!node) { node = ogs_pfcp_node_add(&ogs_pfcp_self()->pfcp_peer_list, &from); - ogs_assert(node); + if (!node) { + ogs_error("No memory: ogs_pfcp_node_add() failed"); + ogs_pkbuf_free(e->pkbuf); + ogs_event_free(e); + return; + } node->sock = data; pfcp_node_fsm_init(node, false); diff --git a/src/upf/pfcp-path.c b/src/upf/pfcp-path.c index 16c9c0544..0935e9922 100644 --- a/src/upf/pfcp-path.c +++ b/src/upf/pfcp-path.c @@ -108,7 +108,12 @@ static void pfcp_recv_cb(short when, ogs_socket_t fd, void *data) node = ogs_pfcp_node_find(&ogs_pfcp_self()->pfcp_peer_list, &from); if (!node) { node = ogs_pfcp_node_add(&ogs_pfcp_self()->pfcp_peer_list, &from); - ogs_assert(node); + if (!node) { + ogs_error("No memory: ogs_pfcp_node_add() failed"); + ogs_pkbuf_free(e->pkbuf); + ogs_event_free(e); + return; + } node->sock = data; pfcp_node_fsm_init(node, false);