From a0f2535cb5a29bba6dbbccdb90c74ccd770cc700 Mon Sep 17 00:00:00 2001
From: Sukchan Lee <acetcom@gmail.com>
Date: Wed, 22 Dec 2021 20:55:48 +0900
Subject: [PATCH] A crafted packet from UE can crash SGW-U/UPF

---
 src/sgwu/gtp-path.c | 6 ++++++
 src/smf/gtp-path.c  | 6 ++++++
 src/upf/gtp-path.c  | 6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/src/sgwu/gtp-path.c b/src/sgwu/gtp-path.c
index c523e3e3c..b72f1aa5d 100644
--- a/src/sgwu/gtp-path.c
+++ b/src/sgwu/gtp-path.c
@@ -124,6 +124,12 @@ static void _gtpv1_u_recv_cb(short when, ogs_socket_t fd, void *data)
         ogs_log_hexdump(OGS_LOG_ERROR, pkbuf->data, pkbuf->len);
         goto cleanup;
     }
+    if (gtp_h->type != OGS_GTPU_MSGTYPE_END_MARKER &&
+        pkbuf->len <= len) {
+        ogs_error("[DROP] Small GTPU packet(type:%d len:%d)", gtp_h->type, len);
+        ogs_log_hexdump(OGS_LOG_ERROR, pkbuf->data, pkbuf->len);
+        goto cleanup;
+    }
     ogs_assert(ogs_pkbuf_pull(pkbuf, len));
 
     if (gtp_h->type == OGS_GTPU_MSGTYPE_END_MARKER) {
diff --git a/src/smf/gtp-path.c b/src/smf/gtp-path.c
index 8e825fe62..821341ce8 100644
--- a/src/smf/gtp-path.c
+++ b/src/smf/gtp-path.c
@@ -186,6 +186,12 @@ static void _gtpv1_u_recv_cb(short when, ogs_socket_t fd, void *data)
         ogs_log_hexdump(OGS_LOG_ERROR, pkbuf->data, pkbuf->len);
         goto cleanup;
     }
+    if (gtp_h->type != OGS_GTPU_MSGTYPE_END_MARKER &&
+        pkbuf->len <= len) {
+        ogs_error("[DROP] Small GTPU packet(type:%d len:%d)", gtp_h->type, len);
+        ogs_log_hexdump(OGS_LOG_ERROR, pkbuf->data, pkbuf->len);
+        goto cleanup;
+    }
     ogs_assert(ogs_pkbuf_pull(pkbuf, len));
 
     if (gtp_h->type == OGS_GTPU_MSGTYPE_GPDU) {
diff --git a/src/upf/gtp-path.c b/src/upf/gtp-path.c
index b18b7c51b..95bb5b99a 100644
--- a/src/upf/gtp-path.c
+++ b/src/upf/gtp-path.c
@@ -304,6 +304,12 @@ static void _gtpv1_u_recv_cb(short when, ogs_socket_t fd, void *data)
         ogs_log_hexdump(OGS_LOG_ERROR, pkbuf->data, pkbuf->len);
         goto cleanup;
     }
+    if (gtp_h->type != OGS_GTPU_MSGTYPE_END_MARKER &&
+        pkbuf->len <= len) {
+        ogs_error("[DROP] Small GTPU packet(type:%d len:%d)", gtp_h->type, len);
+        ogs_log_hexdump(OGS_LOG_ERROR, pkbuf->data, pkbuf->len);
+        goto cleanup;
+    }
     ogs_assert(ogs_pkbuf_pull(pkbuf, len));
 
     if (gtp_h->type == OGS_GTPU_MSGTYPE_END_MARKER) {