sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[SEC] Fix Assertion ogs_pfcp_parse_user_plane_ip_resource_info() (#3207)

This commit is contained in:
Sukchan Lee 2024-05-18 21:06:40 +09:00
parent 5f425445a8
commit bd4d925f0f
2 changed files with 45 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/pfcp/handler.c
View File

@ -94,6 +94,7 @@ bool ogs_pfcp_cp_handle_association_setup_request(
ogs_pfcp_association_setup_request_t *req)
{
int i;
int16_t decoded;
ogs_assert(xact);
ogs_assert(node);
@ -112,8 +113,11 @@ bool ogs_pfcp_cp_handle_association_setup_request(
if (message->presence == 0)
break;
ogs_pfcp_parse_user_plane_ip_resource_info(&info, message);
ogs_gtpu_resource_add(&node->gtpu_resource_list, &info);
decoded = ogs_pfcp_parse_user_plane_ip_resource_info(&info, message);
if (message->len == decoded)
ogs_gtpu_resource_add(&node->gtpu_resource_list, &info);
else
ogs_error("Invalid User Plane IP Resource Info");
}
if (req->up_function_features.presence) {
@ -143,6 +147,7 @@ bool ogs_pfcp_cp_handle_association_setup_response(
ogs_pfcp_association_setup_response_t *rsp)
{
int i;
int16_t decoded;
ogs_assert(xact);
ogs_pfcp_xact_commit(xact);
@ -160,8 +165,11 @@ bool ogs_pfcp_cp_handle_association_setup_response(
if (message->presence == 0)
break;
ogs_pfcp_parse_user_plane_ip_resource_info(&info, message);
ogs_gtpu_resource_add(&node->gtpu_resource_list, &info);
decoded = ogs_pfcp_parse_user_plane_ip_resource_info(&info, message);
if (message->len == decoded)
ogs_gtpu_resource_add(&node->gtpu_resource_list, &info);
else
ogs_error("Invalid User Plane IP Resource Info");
}
if (rsp->up_function_features.presence) {

39
lib/pfcp/types.c
View File

@ -149,14 +149,22 @@ int16_t ogs_pfcp_parse_user_plane_ip_resource_info(
size++;
if (info->teidri) {
ogs_assert(size + sizeof(info->teid_range) <= octet->len);
if (size + sizeof(info->teid_range) > octet->len) {
ogs_error("size[%d]+sizeof(info->teid_range)[%d] > IE Length[%d]",
size, (int)sizeof(info->teid_range), octet->len);
return 0;
}
memcpy(&info->teid_range, (unsigned char *)octet->data + size,
sizeof(info->teid_range));
size += sizeof(info->teid_range);
}
if (info->v4) {
ogs_assert(size + sizeof(info->addr) <= octet->len);
if (size + sizeof(info->addr) > octet->len) {
ogs_error("size[%d]+sizeof(info->addr)[%d] > IE Length[%d]",
size, (int)sizeof(info->addr), octet->len);
return 0;
}
memcpy(&info->addr,
(unsigned char *)octet->data + size,
sizeof(info->addr));
@ -164,14 +172,28 @@ int16_t ogs_pfcp_parse_user_plane_ip_resource_info(
}
if (info->v6) {
ogs_assert(size + OGS_IPV6_LEN <= octet->len);
if (size + OGS_IPV6_LEN > octet->len) {
ogs_error("size[%d]+OGS_IPV6_LEN[%d] > IE Length[%d]",
size, (int)OGS_IPV6_LEN, octet->len);
return 0;
}
memcpy(&info->addr6, (unsigned char *)octet->data + size, OGS_IPV6_LEN);
size += OGS_IPV6_LEN;
}
if (info->assoni) {
int len = octet->len - size;
if (len <= 0) {
ogs_error("len[%d] octect->len[%d] size[%d]", len, octet->len, size);
return 0;
}
if (info->assosi) len--;
if (len <= 0) {
ogs_error("info->assosi[%d] len[%d] octect->len[%d] size[%d]",
info->assosi, len, octet->len, size);
return 0;
}
if (ogs_fqdn_parse(info->network_instance, (char *)octet->data + size,
ogs_min(len, OGS_MAX_APN_LEN)) <= 0) {
@ -182,14 +204,19 @@ int16_t ogs_pfcp_parse_user_plane_ip_resource_info(
}
if (info->assosi) {
ogs_assert(size + sizeof(info->source_interface) <=
octet->len);
if (size + sizeof(info->source_interface) > octet->len) {
ogs_error("size[%d]+sizeof(info->source_interface)[%d] > "
"IE Length[%d]",
size, (int)sizeof(info->source_interface), octet->len);
return 0;
}
memcpy(&info->source_interface, (unsigned char *)octet->data + size,
sizeof(info->source_interface));
size += sizeof(info->source_interface);
}
ogs_assert(size == octet->len);
if (size != octet->len)
ogs_error("Mismatch IE Length[%d] != Decoded[%d]", octet->len, size);
return size;
}