From 866ae78f5e46c2fd77b1da5101fadcc47216cf5a Mon Sep 17 00:00:00 2001 From: Sukchan Lee Date: Sat, 22 Jan 2022 09:34:38 +0900 Subject: [PATCH] [NRF] fix the crash for invalid FQDN (#1333) --- lib/core/ogs-3gpp-types.c | 3 ++- lib/nas/5gs/decoder.c | 2 +- lib/nas/5gs/encoder.c | 2 +- lib/nas/5gs/ies.c | 14 +++++++------- lib/nas/5gs/ies.h | 2 +- lib/nas/5gs/message.h | 2 +- lib/nas/5gs/support/type-list.py | 2 +- lib/nas/eps/decoder.c | 2 +- lib/nas/eps/encoder.c | 2 +- lib/nas/eps/ies.c | 4 ++-- lib/nas/eps/ies.h | 2 +- lib/nas/eps/message.h | 2 +- lib/nas/eps/support/type-list.py | 2 +- lib/pfcp/handler.c | 4 ++-- lib/pfcp/types.c | 2 +- lib/sbi/nnrf-build.c | 8 +++++++- lib/sbi/nnrf-handler.c | 26 +++++++++++++++++++------- src/bsf/nbsf-handler.c | 2 +- src/mme/sgsap-handler.c | 2 +- src/sgwc/s11-handler.c | 2 +- src/smf/context.c | 2 +- tests/af/nbsf-handler.c | 2 +- 22 files changed, 55 insertions(+), 36 deletions(-) diff --git a/lib/core/ogs-3gpp-types.c b/lib/core/ogs-3gpp-types.c index e5e13fbd8..6cfec3339 100644 --- a/lib/core/ogs-3gpp-types.c +++ b/lib/core/ogs-3gpp-types.c @@ -327,8 +327,9 @@ int ogs_fqdn_parse(char *dst, char *src, int length) while (i+1 < length) { len = src[i++]; if ((j + len + 1) > length) { - ogs_error("Invalid APN encoding[len:%d] + 1 > length[%d]", + ogs_error("Invalid FQDN encoding[len:%d] + 1 > length[%d]", len, length); + ogs_log_hexdump(OGS_LOG_ERROR, (unsigned char *)src, length); return 0; } memcpy(&dst[j], &src[i], len); diff --git a/lib/nas/5gs/decoder.c b/lib/nas/5gs/decoder.c index 3e6a35343..89346c576 100644 --- a/lib/nas/5gs/decoder.c +++ b/lib/nas/5gs/decoder.c @@ -28,7 +28,7 @@ /******************************************************************************* * This file had been created by nas-message.py script v0.2.0 * Please do not modify this file but regenerate it via script. - * Created on: 2021-10-13 22:57:17.425900 by acetcom + * Created on: 2022-01-22 09:24:09.045630 by acetcom * from 24501-g41.docx ******************************************************************************/ diff --git a/lib/nas/5gs/encoder.c b/lib/nas/5gs/encoder.c index 0e1225d54..359fd464d 100644 --- a/lib/nas/5gs/encoder.c +++ b/lib/nas/5gs/encoder.c @@ -28,7 +28,7 @@ /******************************************************************************* * This file had been created by nas-message.py script v0.2.0 * Please do not modify this file but regenerate it via script. - * Created on: 2021-10-13 22:57:17.434442 by acetcom + * Created on: 2022-01-22 09:24:09.053958 by acetcom * from 24501-g41.docx ******************************************************************************/ diff --git a/lib/nas/5gs/ies.c b/lib/nas/5gs/ies.c index c66823e96..f840f2107 100644 --- a/lib/nas/5gs/ies.c +++ b/lib/nas/5gs/ies.c @@ -28,7 +28,7 @@ /******************************************************************************* * This file had been created by nas-message.py script v0.2.0 * Please do not modify this file but regenerate it via script. - * Created on: 2021-10-13 22:57:17.413540 by acetcom + * Created on: 2022-01-22 09:24:09.032504 by acetcom * from 24501-g41.docx ******************************************************************************/ @@ -135,13 +135,13 @@ int ogs_nas_5gs_decode_dnn(ogs_nas_dnn_t *dnn, ogs_pkbuf_t *pkbuf) memcpy(dnn, pkbuf->data - size, size); { - char data_network_name[OGS_MAX_DNN_LEN]; - dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, ogs_min(dnn->length, OGS_MAX_DNN_LEN+1)); + char data_network_name[OGS_MAX_DNN_LEN+1]; + dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, ogs_min(dnn->length, OGS_MAX_DNN_LEN)); if (dnn->length > 0) { - ogs_cpystrn(dnn->value, data_network_name, ogs_min(dnn->length, OGS_MAX_DNN_LEN) + 1); - } else { - ogs_error("UE not APN setting"); - } + ogs_cpystrn(dnn->value, data_network_name, ogs_min(dnn->length, OGS_MAX_DNN_LEN)+1); + } else { + ogs_error("UE not APN setting"); + } } ogs_trace(" DNN - "); diff --git a/lib/nas/5gs/ies.h b/lib/nas/5gs/ies.h index 402d529f6..2783b80de 100644 --- a/lib/nas/5gs/ies.h +++ b/lib/nas/5gs/ies.h @@ -28,7 +28,7 @@ /******************************************************************************* * This file had been created by nas-message.py script v0.2.0 * Please do not modify this file but regenerate it via script. - * Created on: 2021-10-13 22:57:17.411445 by acetcom + * Created on: 2022-01-22 09:24:09.029942 by acetcom * from 24501-g41.docx ******************************************************************************/ diff --git a/lib/nas/5gs/message.h b/lib/nas/5gs/message.h index deabfb1f6..afa685440 100644 --- a/lib/nas/5gs/message.h +++ b/lib/nas/5gs/message.h @@ -28,7 +28,7 @@ /******************************************************************************* * This file had been created by nas-message.py script v0.2.0 * Please do not modify this file but regenerate it via script. - * Created on: 2021-10-13 22:57:17.420408 by acetcom + * Created on: 2022-01-22 09:24:09.040249 by acetcom * from 24501-g41.docx ******************************************************************************/ diff --git a/lib/nas/5gs/support/type-list.py b/lib/nas/5gs/support/type-list.py index f35b356d9..ab0b1db3a 100644 --- a/lib/nas/5gs/support/type-list.py +++ b/lib/nas/5gs/support/type-list.py @@ -29,7 +29,7 @@ type_list["Header compression configuration"]["encode"] = \ type_list["DNN"]["decode"] = \ " {\n" \ " char data_network_name[OGS_MAX_DNN_LEN+1];\n" \ -" dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, ogs_min(dnn->length, OGS_MAX_DNN_LEN+1));\n" \ +" dnn->length = ogs_fqdn_parse(data_network_name, dnn->value, ogs_min(dnn->length, OGS_MAX_DNN_LEN));\n" \ " if (dnn->length > 0) {\n" \ " ogs_cpystrn(dnn->value, data_network_name, ogs_min(dnn->length, OGS_MAX_DNN_LEN)+1);\n" \ " } else {\n" \ diff --git a/lib/nas/eps/decoder.c b/lib/nas/eps/decoder.c index 203eedc19..6703d507e 100644 --- a/lib/nas/eps/decoder.c +++ b/lib/nas/eps/decoder.c @@ -28,7 +28,7 @@ /******************************************************************************* * This file had been created by nas-message.py script v0.1.0 * Please do not modify this file but regenerate it via script. - * Created on: 2021-11-15 15:24:45.981268 by acetcom + * Created on: 2022-01-22 09:24:28.380730 by acetcom * from 24301-g40.docx ******************************************************************************/ diff --git a/lib/nas/eps/encoder.c b/lib/nas/eps/encoder.c index a6d3f3731..7b11df53d 100644 --- a/lib/nas/eps/encoder.c +++ b/lib/nas/eps/encoder.c @@ -28,7 +28,7 @@ /******************************************************************************* * This file had been created by nas-message.py script v0.1.0 * Please do not modify this file but regenerate it via script. - * Created on: 2021-11-15 15:24:45.990017 by acetcom + * Created on: 2022-01-22 09:24:28.390156 by acetcom * from 24301-g40.docx ******************************************************************************/ diff --git a/lib/nas/eps/ies.c b/lib/nas/eps/ies.c index 98abdfbcb..bb7b98583 100644 --- a/lib/nas/eps/ies.c +++ b/lib/nas/eps/ies.c @@ -28,7 +28,7 @@ /******************************************************************************* * This file had been created by nas-message.py script v0.1.0 * Please do not modify this file but regenerate it via script. - * Created on: 2021-11-15 15:24:45.969895 by acetcom + * Created on: 2022-01-22 09:24:28.368722 by acetcom * from 24301-g40.docx ******************************************************************************/ @@ -3014,7 +3014,7 @@ int ogs_nas_eps_decode_access_point_name(ogs_nas_access_point_name_t *access_poi { char apn[OGS_MAX_APN_LEN+1]; - access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN+1)); + access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN)); if (access_point_name->length > 0) { ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN)+1); } else { diff --git a/lib/nas/eps/ies.h b/lib/nas/eps/ies.h index 5bd2d6d37..0ce3a12e5 100644 --- a/lib/nas/eps/ies.h +++ b/lib/nas/eps/ies.h @@ -28,7 +28,7 @@ /******************************************************************************* * This file had been created by nas-message.py script v0.1.0 * Please do not modify this file but regenerate it via script. - * Created on: 2021-11-15 15:24:45.968168 by acetcom + * Created on: 2022-01-22 09:24:28.366939 by acetcom * from 24301-g40.docx ******************************************************************************/ diff --git a/lib/nas/eps/message.h b/lib/nas/eps/message.h index 5caf09ac2..dc5f36049 100644 --- a/lib/nas/eps/message.h +++ b/lib/nas/eps/message.h @@ -28,7 +28,7 @@ /******************************************************************************* * This file had been created by nas-message.py script v0.1.0 * Please do not modify this file but regenerate it via script. - * Created on: 2021-11-15 15:24:45.975004 by acetcom + * Created on: 2022-01-22 09:24:28.374281 by acetcom * from 24301-g40.docx ******************************************************************************/ diff --git a/lib/nas/eps/support/type-list.py b/lib/nas/eps/support/type-list.py index f8918cfea..f2b1ba572 100644 --- a/lib/nas/eps/support/type-list.py +++ b/lib/nas/eps/support/type-list.py @@ -71,7 +71,7 @@ type_list["Short MAC"]["encode"] = \ type_list["Access point name"]["decode"] = \ " {\n" \ " char apn[OGS_MAX_APN_LEN+1];\n" \ -" access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN+1));\n" \ +" access_point_name->length = ogs_fqdn_parse(apn, access_point_name->apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN));\n" \ " if (access_point_name->length > 0) {\n" \ " ogs_cpystrn(access_point_name->apn, apn, ogs_min(access_point_name->length, OGS_MAX_APN_LEN)+1);\n" \ " } else {\n" \ diff --git a/lib/pfcp/handler.c b/lib/pfcp/handler.c index 265ecb01e..f1b703a61 100644 --- a/lib/pfcp/handler.c +++ b/lib/pfcp/handler.c @@ -421,7 +421,7 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_create_pdr(ogs_pfcp_sess_t *sess, ogs_assert(0 < ogs_fqdn_parse(dnn, message->pdi.network_instance.data, - ogs_min(message->pdi.network_instance.len, OGS_MAX_DNN_LEN+1))); + ogs_min(message->pdi.network_instance.len, OGS_MAX_DNN_LEN))); pdr->dnn = ogs_strdup(dnn); ogs_assert(pdr->dnn); @@ -669,7 +669,7 @@ ogs_pfcp_pdr_t *ogs_pfcp_handle_update_pdr(ogs_pfcp_sess_t *sess, ogs_assert(0 < ogs_fqdn_parse(dnn, message->pdi.network_instance.data, - ogs_min(message->pdi.network_instance.len, OGS_MAX_DNN_LEN+1))); + ogs_min(message->pdi.network_instance.len, OGS_MAX_DNN_LEN))); if (pdr->dnn) ogs_free(pdr->dnn); diff --git a/lib/pfcp/types.c b/lib/pfcp/types.c index 87fc74502..366319e11 100644 --- a/lib/pfcp/types.c +++ b/lib/pfcp/types.c @@ -175,7 +175,7 @@ int16_t ogs_pfcp_parse_user_plane_ip_resource_info( ogs_assert(0 < ogs_fqdn_parse( info->network_instance, (char *)octet->data + size, - ogs_min(len, OGS_MAX_APN_LEN)+1)); + ogs_min(len, OGS_MAX_APN_LEN))); size += len; } diff --git a/lib/sbi/nnrf-build.c b/lib/sbi/nnrf-build.c index 4c1714ef2..8cd7bacfc 100644 --- a/lib/sbi/nnrf-build.c +++ b/lib/sbi/nnrf-build.c @@ -68,7 +68,9 @@ OpenAPI_nf_profile_t *ogs_nnrf_nfm_build_nf_profile( ogs_expect_or_return_val(NFProfile->fqdn, NULL); NFProfile->fqdn[fqdn_len] = 0; - ogs_trace("FQDN[%s]", nf_instance->fqdn); + ogs_debug("NFInstance-FQDN[%s]", nf_instance->fqdn); + ogs_log_hexdump(OGS_LOG_DEBUG, + (unsigned char *)NFProfile->fqdn, fqdn_len); } NFProfile->is_priority = true; @@ -188,6 +190,10 @@ OpenAPI_nf_profile_t *ogs_nnrf_nfm_build_nf_profile( NFService->fqdn = ogs_memdup(fqdn, fqdn_len+1); ogs_expect_or_return_val(NFService->fqdn, NULL); NFService->fqdn[fqdn_len] = 0; + + ogs_debug("NFService-FQDN[%s]", nf_service->fqdn); + ogs_log_hexdump(OGS_LOG_DEBUG, + (unsigned char *)NFService->fqdn, fqdn_len); } IpEndPointList = OpenAPI_list_create(); diff --git a/lib/sbi/nnrf-handler.c b/lib/sbi/nnrf-handler.c index f54d33d18..2a33d1b94 100644 --- a/lib/sbi/nnrf-handler.c +++ b/lib/sbi/nnrf-handler.c @@ -247,10 +247,16 @@ bool ogs_sbi_nnrf_handle_nf_profile(ogs_sbi_nf_instance_t *nf_instance, if (NFProfile->is_heart_beat_timer == true) nf_instance->time.heartbeat_interval = NFProfile->heart_beat_timer; - if (NFProfile->fqdn) - ogs_assert(0 < ogs_fqdn_parse( + if (NFProfile->fqdn) { + if (ogs_fqdn_parse( nf_instance->fqdn, NFProfile->fqdn, - ogs_min(strlen(NFProfile->fqdn), OGS_MAX_FQDN_LEN+1))); + ogs_min(strlen(NFProfile->fqdn), OGS_MAX_FQDN_LEN)) > 0) { + /* Nothing : succeeded to parse FQDN */ + } else { + ogs_error("ogs_fqdn_parse() failed[%s]", NFProfile->fqdn); + return false; + } + } if (NFProfile->is_priority == true) nf_instance->priority = NFProfile->priority; @@ -328,10 +334,16 @@ bool ogs_sbi_nnrf_handle_nf_profile(ogs_sbi_nf_instance_t *nf_instance, NFServiceVersion->expiry); } - if (NFService->fqdn) - ogs_assert(0 < ogs_fqdn_parse( - nf_service->fqdn, NFService->fqdn, - ogs_min(strlen(NFService->fqdn), OGS_MAX_FQDN_LEN+1))); + if (NFService->fqdn) { + if (ogs_fqdn_parse( + nf_service->fqdn, NFService->fqdn, + ogs_min(strlen(NFService->fqdn), OGS_MAX_FQDN_LEN)) > 0) { + /* Nothing : succeeded to parse FQDN */ + } else { + ogs_error("ogs_fqdn_parse() failed[%s]", NFService->fqdn); + return false; + } + } OpenAPI_list_for_each(IpEndPointList, node2) { OpenAPI_ip_end_point_t *IpEndPoint = node2->data; diff --git a/src/bsf/nbsf-handler.c b/src/bsf/nbsf-handler.c index 22d51198b..9ef991403 100644 --- a/src/bsf/nbsf-handler.c +++ b/src/bsf/nbsf-handler.c @@ -104,7 +104,7 @@ bool bsf_nbsf_management_handle_pcf_binding( ogs_assert(0 < ogs_fqdn_parse( fqdn, RecvPcfBinding->pcf_fqdn, ogs_min(strlen(RecvPcfBinding->pcf_fqdn), - OGS_MAX_FQDN_LEN+1))); + OGS_MAX_FQDN_LEN))); if (sess->pcf_fqdn) ogs_free(sess->pcf_fqdn); diff --git a/src/mme/sgsap-handler.c b/src/mme/sgsap-handler.c index de5526d8c..41a8ca254 100644 --- a/src/mme/sgsap-handler.c +++ b/src/mme/sgsap-handler.c @@ -288,7 +288,7 @@ void sgsap_handle_paging_request(mme_vlr_t *vlr, ogs_pkbuf_t *pkbuf) case SGSAP_IE_VLR_NAME_TYPE: ogs_assert(0 < ogs_fqdn_parse( vlr_name, iter->value, - ogs_min(iter->length, SGSAP_IE_VLR_NAME_LEN+1))); + ogs_min(iter->length, SGSAP_IE_VLR_NAME_LEN))); break; case SGSAP_IE_LAI_TYPE: lai = iter->value; diff --git a/src/sgwc/s11-handler.c b/src/sgwc/s11-handler.c index 7a5a64cee..5eb51c531 100644 --- a/src/sgwc/s11-handler.c +++ b/src/sgwc/s11-handler.c @@ -191,7 +191,7 @@ void sgwc_s11_handle_create_session_request( /* Add Session */ ogs_assert(0 < ogs_fqdn_parse(apn, req->access_point_name.data, - ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN+1))); + ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN))); sess = sgwc_sess_find_by_ebi(sgwc_ue, req->bearer_contexts_to_be_created.eps_bearer_id.u8); if (sess) { diff --git a/src/smf/context.c b/src/smf/context.c index ba575c217..ee19af7fd 100644 --- a/src/smf/context.c +++ b/src/smf/context.c @@ -1037,7 +1037,7 @@ smf_sess_t *smf_sess_add_by_gtp_message(ogs_gtp_message_t *message) } ogs_assert(0 < ogs_fqdn_parse(apn, req->access_point_name.data, - ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN+1))); + ogs_min(req->access_point_name.len, OGS_MAX_APN_LEN))); ogs_trace("smf_sess_add_by_message() [APN:%s]", apn); diff --git a/tests/af/nbsf-handler.c b/tests/af/nbsf-handler.c index b53f8bddb..ed3fbb021 100644 --- a/tests/af/nbsf-handler.c +++ b/tests/af/nbsf-handler.c @@ -45,7 +45,7 @@ void af_nbsf_management_handle_pcf_binding( if (PcfBinding->pcf_fqdn) { ogs_assert(0 < ogs_fqdn_parse(fqdn, PcfBinding->pcf_fqdn, - ogs_min(strlen(PcfBinding->pcf_fqdn), OGS_MAX_FQDN_LEN+1))); + ogs_min(strlen(PcfBinding->pcf_fqdn), OGS_MAX_FQDN_LEN))); if (sess->pcf.fqdn) ogs_free(sess->pcf.fqdn); sess->pcf.fqdn = ogs_strdup(fqdn);