forked from acouzens/open5gs
[SEC] Fix Assertion ogs_pfcp_parse_user_plane_ip_resource_info() (#3207)
This commit is contained in:
parent
5f425445a8
commit
bd4d925f0f
|
@ -94,6 +94,7 @@ bool ogs_pfcp_cp_handle_association_setup_request(
|
|||
ogs_pfcp_association_setup_request_t *req)
|
||||
{
|
||||
int i;
|
||||
int16_t decoded;
|
||||
|
||||
ogs_assert(xact);
|
||||
ogs_assert(node);
|
||||
|
@ -112,8 +113,11 @@ bool ogs_pfcp_cp_handle_association_setup_request(
|
|||
if (message->presence == 0)
|
||||
break;
|
||||
|
||||
ogs_pfcp_parse_user_plane_ip_resource_info(&info, message);
|
||||
ogs_gtpu_resource_add(&node->gtpu_resource_list, &info);
|
||||
decoded = ogs_pfcp_parse_user_plane_ip_resource_info(&info, message);
|
||||
if (message->len == decoded)
|
||||
ogs_gtpu_resource_add(&node->gtpu_resource_list, &info);
|
||||
else
|
||||
ogs_error("Invalid User Plane IP Resource Info");
|
||||
}
|
||||
|
||||
if (req->up_function_features.presence) {
|
||||
|
@ -143,6 +147,7 @@ bool ogs_pfcp_cp_handle_association_setup_response(
|
|||
ogs_pfcp_association_setup_response_t *rsp)
|
||||
{
|
||||
int i;
|
||||
int16_t decoded;
|
||||
|
||||
ogs_assert(xact);
|
||||
ogs_pfcp_xact_commit(xact);
|
||||
|
@ -160,8 +165,11 @@ bool ogs_pfcp_cp_handle_association_setup_response(
|
|||
if (message->presence == 0)
|
||||
break;
|
||||
|
||||
ogs_pfcp_parse_user_plane_ip_resource_info(&info, message);
|
||||
ogs_gtpu_resource_add(&node->gtpu_resource_list, &info);
|
||||
decoded = ogs_pfcp_parse_user_plane_ip_resource_info(&info, message);
|
||||
if (message->len == decoded)
|
||||
ogs_gtpu_resource_add(&node->gtpu_resource_list, &info);
|
||||
else
|
||||
ogs_error("Invalid User Plane IP Resource Info");
|
||||
}
|
||||
|
||||
if (rsp->up_function_features.presence) {
|
||||
|
|
|
@ -149,14 +149,22 @@ int16_t ogs_pfcp_parse_user_plane_ip_resource_info(
|
|||
size++;
|
||||
|
||||
if (info->teidri) {
|
||||
ogs_assert(size + sizeof(info->teid_range) <= octet->len);
|
||||
if (size + sizeof(info->teid_range) > octet->len) {
|
||||
ogs_error("size[%d]+sizeof(info->teid_range)[%d] > IE Length[%d]",
|
||||
size, (int)sizeof(info->teid_range), octet->len);
|
||||
return 0;
|
||||
}
|
||||
memcpy(&info->teid_range, (unsigned char *)octet->data + size,
|
||||
sizeof(info->teid_range));
|
||||
size += sizeof(info->teid_range);
|
||||
}
|
||||
|
||||
if (info->v4) {
|
||||
ogs_assert(size + sizeof(info->addr) <= octet->len);
|
||||
if (size + sizeof(info->addr) > octet->len) {
|
||||
ogs_error("size[%d]+sizeof(info->addr)[%d] > IE Length[%d]",
|
||||
size, (int)sizeof(info->addr), octet->len);
|
||||
return 0;
|
||||
}
|
||||
memcpy(&info->addr,
|
||||
(unsigned char *)octet->data + size,
|
||||
sizeof(info->addr));
|
||||
|
@ -164,14 +172,28 @@ int16_t ogs_pfcp_parse_user_plane_ip_resource_info(
|
|||
}
|
||||
|
||||
if (info->v6) {
|
||||
ogs_assert(size + OGS_IPV6_LEN <= octet->len);
|
||||
if (size + OGS_IPV6_LEN > octet->len) {
|
||||
ogs_error("size[%d]+OGS_IPV6_LEN[%d] > IE Length[%d]",
|
||||
size, (int)OGS_IPV6_LEN, octet->len);
|
||||
return 0;
|
||||
}
|
||||
memcpy(&info->addr6, (unsigned char *)octet->data + size, OGS_IPV6_LEN);
|
||||
size += OGS_IPV6_LEN;
|
||||
}
|
||||
|
||||
if (info->assoni) {
|
||||
int len = octet->len - size;
|
||||
if (len <= 0) {
|
||||
ogs_error("len[%d] octect->len[%d] size[%d]", len, octet->len, size);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (info->assosi) len--;
|
||||
if (len <= 0) {
|
||||
ogs_error("info->assosi[%d] len[%d] octect->len[%d] size[%d]",
|
||||
info->assosi, len, octet->len, size);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ogs_fqdn_parse(info->network_instance, (char *)octet->data + size,
|
||||
ogs_min(len, OGS_MAX_APN_LEN)) <= 0) {
|
||||
|
@ -182,14 +204,19 @@ int16_t ogs_pfcp_parse_user_plane_ip_resource_info(
|
|||
}
|
||||
|
||||
if (info->assosi) {
|
||||
ogs_assert(size + sizeof(info->source_interface) <=
|
||||
octet->len);
|
||||
if (size + sizeof(info->source_interface) > octet->len) {
|
||||
ogs_error("size[%d]+sizeof(info->source_interface)[%d] > "
|
||||
"IE Length[%d]",
|
||||
size, (int)sizeof(info->source_interface), octet->len);
|
||||
return 0;
|
||||
}
|
||||
memcpy(&info->source_interface, (unsigned char *)octet->data + size,
|
||||
sizeof(info->source_interface));
|
||||
size += sizeof(info->source_interface);
|
||||
}
|
||||
|
||||
ogs_assert(size == octet->len);
|
||||
if (size != octet->len)
|
||||
ogs_error("Mismatch IE Length[%d] != Decoded[%d]", octet->len, size);
|
||||
|
||||
return size;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue