sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[TLV] GTP parser crashg from FuzzingLabs 

See below for details
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61780#c1
This commit is contained in:
Sukchan Lee 2023-08-26 16:28:42 +09:00
parent 654fe4010c
commit 5c726684b3
6 changed files with 14 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/gtp/v1/message.c
View File

@ -1,6 +1,7 @@
/*
* Copyright (C) 2019 by Sukchan Lee <acetcom@gmail.com>
* Copyright (C) 2022 by sysmocom - s.f.m.c. GmbH <info@sysmocom.de>
* Copyright (C) 2023 by Sukchan Lee <acetcom@gmail.com>
*
* This file is part of Open5GS.
*
@ -21,7 +22,7 @@
/*******************************************************************************
* This file had been created by gtp1-tlv.py script v0.1.0
* Please do not modify this file but regenerate it via script.
* Created on: 2023-03-05 12:29:34.542862 by acetcom
* Created on: 2023-08-26 16:26:00.627882 by acetcom
* from 29060-h40.docx
******************************************************************************/
@ -2313,9 +2314,6 @@ int ogs_gtp1_parse_msg(ogs_gtp1_message_t *gtp1_message, ogs_pkbuf_t *pkbuf)
switch(gtp1_message->h.type) {
case OGS_GTP1_ECHO_REQUEST_TYPE:
rv = ogs_tlv_parse_msg_desc(&gtp1_message->echo_request,
&ogs_gtp1_tlv_desc_echo_request, pkbuf, OGS_TLV_MODE_T1_L2);
break;
case OGS_GTP1_ECHO_RESPONSE_TYPE:
rv = ogs_tlv_parse_msg_desc(&gtp1_message->echo_response,
&ogs_gtp1_tlv_desc_echo_response, pkbuf, OGS_TLV_MODE_T1_L2);
@ -2425,9 +2423,6 @@ int ogs_gtp1_parse_msg(ogs_gtp1_message_t *gtp1_message, ogs_pkbuf_t *pkbuf)
&ogs_gtp1_tlv_desc_forward_relocation_response, pkbuf, OGS_TLV_MODE_T1_L2);
break;
case OGS_GTP1_FORWARD_RELOCATION_COMPLETE_TYPE:
rv = ogs_tlv_parse_msg_desc(&gtp1_message->forward_relocation_complete,
&ogs_gtp1_tlv_desc_forward_relocation_complete, pkbuf, OGS_TLV_MODE_T1_L2);
break;
case OGS_GTP1_RELOCATION_CANCEL_REQUEST_TYPE:
rv = ogs_tlv_parse_msg_desc(&gtp1_message->relocation_cancel_request,
&ogs_gtp1_tlv_desc_relocation_cancel_request, pkbuf, OGS_TLV_MODE_T1_L2);

3
lib/gtp/v1/message.h
View File

@ -1,6 +1,7 @@
/*
* Copyright (C) 2019 by Sukchan Lee <acetcom@gmail.com>
* Copyright (C) 2022 by sysmocom - s.f.m.c. GmbH <info@sysmocom.de>
* Copyright (C) 2023 by Sukchan Lee <acetcom@gmail.com>
*
* This file is part of Open5GS.
*
@ -21,7 +22,7 @@
/*******************************************************************************
* This file had been created by gtp1-tlv.py script v0.1.0
* Please do not modify this file but regenerate it via script.
* Created on: 2023-03-05 12:29:34.536821 by acetcom
* Created on: 2023-08-26 16:26:00.621752 by acetcom
* from 29060-h40.docx
******************************************************************************/

7
lib/gtp/v1/support/gtp1-tlv.py
View File

@ -635,9 +635,10 @@ f.write("""int ogs_gtp1_parse_msg(ogs_gtp1_message_t *gtp1_message, ogs_pkbuf_t
for (k, v) in sorted_msg_list:
if "ies" in msg_list[k]:
f.write(" case OGS_GTP1_%s_TYPE:\n" % v_upper(k))
f.write(" rv = ogs_tlv_parse_msg_desc(&gtp1_message->%s,\n" % v_lower(k))
f.write(" &ogs_gtp1_tlv_desc_%s, pkbuf, OGS_TLV_MODE_T1_L2);\n" % v_lower(k))
f.write(" break;\n")
if k != "Echo Request" and k != "Forward Relocation Complete":
f.write(" rv = ogs_tlv_parse_msg_desc(&gtp1_message->%s,\n" % v_lower(k))
f.write(" &ogs_gtp1_tlv_desc_%s, pkbuf, OGS_TLV_MODE_T1_L2);\n" % v_lower(k))
f.write(" break;\n")
f.write(""" default:
ogs_warn("Not implemented(type:%d)", gtp1_message->h.type);
break;

5
lib/gtp/v2/message.c
View File

@ -20,7 +20,7 @@
/*******************************************************************************
* This file had been created by gtp-tlv.py script v0.1.0
* Please do not modify this file but regenerate it via script.
* Created on: 2023-03-05 11:59:11.018342 by acetcom
* Created on: 2023-08-26 16:22:05.130327 by acetcom
* from 29274-h70.docx
******************************************************************************/
@ -2983,9 +2983,6 @@ int ogs_gtp2_parse_msg(ogs_gtp2_message_t *gtp2_message, ogs_pkbuf_t *pkbuf)
&ogs_gtp2_tlv_desc_create_indirect_data_forwarding_tunnel_response, pkbuf, OGS_TLV_MODE_T1_L2_I1);
break;
case OGS_GTP2_DELETE_INDIRECT_DATA_FORWARDING_TUNNEL_REQUEST_TYPE:
rv = ogs_tlv_parse_msg(&gtp2_message->delete_indirect_data_forwarding_tunnel_request,
&ogs_gtp2_tlv_desc_delete_indirect_data_forwarding_tunnel_request, pkbuf, OGS_TLV_MODE_T1_L2_I1);
break;
case OGS_GTP2_DELETE_INDIRECT_DATA_FORWARDING_TUNNEL_RESPONSE_TYPE:
rv = ogs_tlv_parse_msg(&gtp2_message->delete_indirect_data_forwarding_tunnel_response,
&ogs_gtp2_tlv_desc_delete_indirect_data_forwarding_tunnel_response, pkbuf, OGS_TLV_MODE_T1_L2_I1);

2
lib/gtp/v2/message.h
View File

@ -20,7 +20,7 @@
/*******************************************************************************
* This file had been created by gtp-tlv.py script v0.1.0
* Please do not modify this file but regenerate it via script.
* Created on: 2023-03-05 11:59:11.013000 by acetcom
* Created on: 2023-08-26 16:22:05.124502 by acetcom
* from 29274-h70.docx
******************************************************************************/

7
lib/gtp/v2/support/gtp-tlv.py
View File

@ -723,9 +723,10 @@ f.write("""int ogs_gtp2_parse_msg(ogs_gtp2_message_t *gtp2_message, ogs_pkbuf_t
for (k, v) in sorted_msg_list:
if "ies" in msg_list[k]:
f.write(" case OGS_GTP2_%s_TYPE:\n" % v_upper(k))
f.write(" rv = ogs_tlv_parse_msg(&gtp2_message->%s,\n" % v_lower(k))
f.write(" &ogs_gtp2_tlv_desc_%s, pkbuf, OGS_TLV_MODE_T1_L2_I1);\n" % v_lower(k))
f.write(" break;\n")
if k != "Delete Indirect Data Forwarding Tunnel Request":
f.write(" rv = ogs_tlv_parse_msg(&gtp2_message->%s,\n" % v_lower(k))
f.write(" &ogs_gtp2_tlv_desc_%s, pkbuf, OGS_TLV_MODE_T1_L2_I1);\n" % v_lower(k))
f.write(" break;\n")
f.write(""" default:
ogs_warn("Not implemented(type:%d)", gtp2_message->h.type);
break;