forked from acouzens/open5gs
[SEC] crash for IMSI/MSISDN/IMEI overflow (#3207)
When using ogs_buffer_to_bcd(), an overflow occurs if the input buffer length is larger than the output bcd size, causing a crash. We adjusted the size of the input buffer length using ogs_min as follows. ``` sgwc_ue->imsi_len = ogs_min(imsi_len, OGS_MAX_IMSI_LEN); memcpy(sgwc_ue->imsi, imsi, sgwc_ue->imsi_len); ogs_buffer_to_bcd(sgwc_ue->imsi, sgwc_ue->imsi_len, sgwc_ue->imsi_bcd); ```
This commit is contained in:
parent
80ab4c4a1b
commit
bba0ebe6a4
|
@ -226,7 +226,7 @@ sgwc_ue_t *sgwc_ue_add(uint8_t *imsi, int imsi_len)
|
|||
&sgwc_ue->sgw_s11_teid, sizeof(sgwc_ue->sgw_s11_teid), sgwc_ue);
|
||||
|
||||
/* Set IMSI */
|
||||
sgwc_ue->imsi_len = imsi_len;
|
||||
sgwc_ue->imsi_len = ogs_min(imsi_len, OGS_MAX_IMSI_LEN);
|
||||
memcpy(sgwc_ue->imsi, imsi, sgwc_ue->imsi_len);
|
||||
ogs_buffer_to_bcd(sgwc_ue->imsi, sgwc_ue->imsi_len, sgwc_ue->imsi_bcd);
|
||||
|
||||
|
|
|
@ -1049,7 +1049,7 @@ smf_ue_t *smf_ue_add_by_imsi(uint8_t *imsi, int imsi_len)
|
|||
if ((smf_ue = smf_ue_add()) == NULL)
|
||||
return NULL;;
|
||||
|
||||
smf_ue->imsi_len = imsi_len;
|
||||
smf_ue->imsi_len = ogs_min(imsi_len, OGS_MAX_IMSI_LEN);
|
||||
memcpy(smf_ue->imsi, imsi, smf_ue->imsi_len);
|
||||
ogs_buffer_to_bcd(smf_ue->imsi, smf_ue->imsi_len, smf_ue->imsi_bcd);
|
||||
ogs_hash_set(self.imsi_hash, smf_ue->imsi, smf_ue->imsi_len, smf_ue);
|
||||
|
|
|
@ -410,16 +410,15 @@ uint8_t smf_s5c_handle_create_session_request(
|
|||
|
||||
/* Set MSISDN */
|
||||
if (req->msisdn.presence && req->msisdn.len && req->msisdn.data) {
|
||||
smf_ue->msisdn_len = req->msisdn.len;
|
||||
memcpy(smf_ue->msisdn, req->msisdn.data,
|
||||
ogs_min(smf_ue->msisdn_len, OGS_MAX_MSISDN_LEN));
|
||||
smf_ue->msisdn_len = ogs_min(req->msisdn.len, OGS_MAX_MSISDN_LEN);
|
||||
memcpy(smf_ue->msisdn, req->msisdn.data, smf_ue->msisdn_len);
|
||||
ogs_buffer_to_bcd(smf_ue->msisdn,
|
||||
smf_ue->msisdn_len, smf_ue->msisdn_bcd);
|
||||
}
|
||||
|
||||
/* Set IMEI(SV) */
|
||||
if (req->me_identity.presence && req->me_identity.len > 0) {
|
||||
smf_ue->imeisv_len = req->me_identity.len;
|
||||
smf_ue->imeisv_len = ogs_min(req->me_identity.len, OGS_MAX_IMEISV_LEN);
|
||||
memcpy(smf_ue->imeisv,
|
||||
(uint8_t*)req->me_identity.data, smf_ue->imeisv_len);
|
||||
ogs_buffer_to_bcd(
|
||||
|
|
Loading…
Reference in New Issue