sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[SEC] crash for IMSI/MSISDN/IMEI overflow (#3207) 

When using ogs_buffer_to_bcd(), an overflow occurs if the input buffer length
is larger than the output bcd size, causing a crash.

We adjusted the size of the input buffer length using ogs_min as follows.
```
    sgwc_ue->imsi_len = ogs_min(imsi_len, OGS_MAX_IMSI_LEN);
    memcpy(sgwc_ue->imsi, imsi, sgwc_ue->imsi_len);
    ogs_buffer_to_bcd(sgwc_ue->imsi, sgwc_ue->imsi_len, sgwc_ue->imsi_bcd);
```
This commit is contained in:
Sukchan Lee 2024-05-17 20:25:49 +09:00
parent 80ab4c4a1b
commit bba0ebe6a4
3 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/sgwc/context.c
View File

@ -226,7 +226,7 @@ sgwc_ue_t *sgwc_ue_add(uint8_t *imsi, int imsi_len)
&sgwc_ue->sgw_s11_teid, sizeof(sgwc_ue->sgw_s11_teid), sgwc_ue);
/* Set IMSI */
sgwc_ue->imsi_len = imsi_len;
sgwc_ue->imsi_len = ogs_min(imsi_len, OGS_MAX_IMSI_LEN);
memcpy(sgwc_ue->imsi, imsi, sgwc_ue->imsi_len);
ogs_buffer_to_bcd(sgwc_ue->imsi, sgwc_ue->imsi_len, sgwc_ue->imsi_bcd);

2
src/smf/context.c
View File

@ -1049,7 +1049,7 @@ smf_ue_t *smf_ue_add_by_imsi(uint8_t *imsi, int imsi_len)
if ((smf_ue = smf_ue_add()) == NULL)
return NULL;;
smf_ue->imsi_len = imsi_len;
smf_ue->imsi_len = ogs_min(imsi_len, OGS_MAX_IMSI_LEN);
memcpy(smf_ue->imsi, imsi, smf_ue->imsi_len);
ogs_buffer_to_bcd(smf_ue->imsi, smf_ue->imsi_len, smf_ue->imsi_bcd);
ogs_hash_set(self.imsi_hash, smf_ue->imsi, smf_ue->imsi_len, smf_ue);

7
src/smf/s5c-handler.c
View File

@ -410,16 +410,15 @@ uint8_t smf_s5c_handle_create_session_request(
/* Set MSISDN */
if (req->msisdn.presence && req->msisdn.len && req->msisdn.data) {
smf_ue->msisdn_len = req->msisdn.len;
memcpy(smf_ue->msisdn, req->msisdn.data,
ogs_min(smf_ue->msisdn_len, OGS_MAX_MSISDN_LEN));
smf_ue->msisdn_len = ogs_min(req->msisdn.len, OGS_MAX_MSISDN_LEN);
memcpy(smf_ue->msisdn, req->msisdn.data, smf_ue->msisdn_len);
ogs_buffer_to_bcd(smf_ue->msisdn,
smf_ue->msisdn_len, smf_ue->msisdn_bcd);
}
/* Set IMEI(SV) */
if (req->me_identity.presence && req->me_identity.len > 0) {
smf_ue->imeisv_len = req->me_identity.len;
smf_ue->imeisv_len = ogs_min(req->me_identity.len, OGS_MAX_IMEISV_LEN);
memcpy(smf_ue->imeisv,
(uint8_t*)req->me_identity.data, smf_ue->imeisv_len);
ogs_buffer_to_bcd(