sysmocom
/
open5gs
forked from acouzens/open5gs
11
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[AMF/MME] Fixed crash when receiving invalid packet (#2737) (#2755)

This commit is contained in:
Sukchan Lee 2023-11-27 22:16:11 +09:00 committed by GitHub
parent ab1c3493c6
commit ee964f48dd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 85 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
src/amf/ngap-handler.c
View File

@ -594,6 +594,9 @@ void ngap_handle_uplink_nas_transport(
NGAP_UserLocationInformation_t *UserLocationInformation = NULL;
NGAP_UserLocationInformationNR_t *UserLocationInformationNR = NULL;
ogs_5gs_tai_t nr_tai;
int served_tai_index = 0;
ogs_assert(gnb);
ogs_assert(gnb->sctp.sock);
@ -706,6 +709,22 @@ void ngap_handle_uplink_nas_transport(
UserLocationInformationNR =
UserLocationInformation->choice.userLocationInformationNR;
ogs_assert(UserLocationInformationNR);
ogs_ngap_ASN_to_5gs_tai(&UserLocationInformationNR->tAI, &nr_tai);
served_tai_index = amf_find_served_tai(&nr_tai);
if (served_tai_index < 0) {
ogs_error("Cannot find Served TAI[PLMN_ID:%06x,TAC:%d]",
ogs_plmn_id_hexdump(&nr_tai.plmn_id), nr_tai.tac.v);
r = ngap_send_error_indication(
gnb, &ran_ue->ran_ue_ngap_id, &ran_ue->amf_ue_ngap_id,
NGAP_Cause_PR_protocol,
NGAP_CauseProtocol_message_not_compatible_with_receiver_state);
ogs_expect(r == OGS_OK);
ogs_assert(r != OGS_ERROR);
return;
}
ogs_debug(" SERVED_TAI_INDEX[%d]", served_tai_index);
ogs_ngap_ASN_to_nr_cgi(
&UserLocationInformationNR->nR_CGI, &ran_ue->saved.nr_cgi);
ogs_ngap_ASN_to_5gs_tai(
@ -2662,6 +2681,9 @@ void ngap_handle_path_switch_request(
amf_nsmf_pdusession_sm_context_param_t param;
ogs_5gs_tai_t nr_tai;
int served_tai_index = 0;
ogs_assert(gnb);
ogs_assert(gnb->sctp.sock);
@ -2818,6 +2840,22 @@ void ngap_handle_path_switch_request(
UserLocationInformationNR =
UserLocationInformation->choice.userLocationInformationNR;
ogs_assert(UserLocationInformationNR);
ogs_ngap_ASN_to_5gs_tai(&UserLocationInformationNR->tAI, &nr_tai);
served_tai_index = amf_find_served_tai(&nr_tai);
if (served_tai_index < 0) {
ogs_error("Cannot find Served TAI[PLMN_ID:%06x,TAC:%d]",
ogs_plmn_id_hexdump(&nr_tai.plmn_id), nr_tai.tac.v);
r = ngap_send_error_indication(
gnb, &ran_ue->ran_ue_ngap_id, &ran_ue->amf_ue_ngap_id,
NGAP_Cause_PR_protocol,
NGAP_CauseProtocol_message_not_compatible_with_receiver_state);
ogs_expect(r == OGS_OK);
ogs_assert(r != OGS_ERROR);
return;
}
ogs_debug(" SERVED_TAI_INDEX[%d]", served_tai_index);
ogs_ngap_ASN_to_nr_cgi(
&UserLocationInformationNR->nR_CGI, &ran_ue->saved.nr_cgi);
ogs_ngap_ASN_to_5gs_tai(

52
src/mme/s1ap-handler.c
View File

@ -607,6 +607,9 @@ void s1ap_handle_uplink_nas_transport(
enb_ue_t *enb_ue = NULL;
ogs_eps_tai_t tai;
int served_tai_index = 0;
ogs_assert(enb);
ogs_assert(enb->sctp.sock);
@ -714,6 +717,29 @@ void s1ap_handle_uplink_nas_transport(
return;
}
pLMNidentity = &TAI->pLMNidentity;
ogs_assert(pLMNidentity && pLMNidentity->size == sizeof(ogs_plmn_id_t));
tAC = &TAI->tAC;
ogs_assert(tAC && tAC->size == sizeof(uint16_t));
memcpy(&tai.plmn_id, pLMNidentity->buf, sizeof(tai.plmn_id));
memcpy(&tai.tac, tAC->buf, sizeof(tai.tac));
tai.tac = be16toh(tai.tac);
/* Check TAI */
served_tai_index = mme_find_served_tai(&tai);
if (served_tai_index < 0) {
ogs_error("Cannot find Served TAI[PLMN_ID:%06x,TAC:%d]",
ogs_plmn_id_hexdump(&tai.plmn_id), tai.tac);
r = s1ap_send_error_indication(enb, MME_UE_S1AP_ID, ENB_UE_S1AP_ID,
S1AP_Cause_PR_protocol,
S1AP_CauseProtocol_message_not_compatible_with_receiver_state);
ogs_expect(r == OGS_OK);
ogs_assert(r != OGS_ERROR);
return;
}
ogs_debug(" SERVED_TAI_INDEX[%d]", served_tai_index);
pLMNidentity = &EUTRAN_CGI->pLMNidentity;
ogs_assert(pLMNidentity && pLMNidentity->size == sizeof(ogs_plmn_id_t));
cell_ID = &EUTRAN_CGI->cell_ID;
@ -724,11 +750,6 @@ void s1ap_handle_uplink_nas_transport(
sizeof(enb_ue->saved.e_cgi.cell_id));
enb_ue->saved.e_cgi.cell_id = (be32toh(enb_ue->saved.e_cgi.cell_id) >> 4);
pLMNidentity = &TAI->pLMNidentity;
ogs_assert(pLMNidentity && pLMNidentity->size == sizeof(ogs_plmn_id_t));
tAC = &TAI->tAC;
ogs_assert(tAC && tAC->size == sizeof(uint16_t));
memcpy(&enb_ue->saved.tai.plmn_id, pLMNidentity->buf,
sizeof(enb_ue->saved.tai.plmn_id));
memcpy(&enb_ue->saved.tai.tac, tAC->buf, sizeof(enb_ue->saved.tai.tac));
@ -2306,6 +2327,9 @@ void s1ap_handle_path_switch_request(
mme_ue_t *mme_ue = NULL;
ogs_pkbuf_t *s1apbuf = NULL;
ogs_eps_tai_t tai;
int served_tai_index = 0;
sgw_relocation_e relocation;
ogs_assert(enb);
@ -2427,6 +2451,24 @@ void s1ap_handle_path_switch_request(
tAC = &TAI->tAC;
ogs_assert(tAC && tAC->size == sizeof(uint16_t));
memcpy(&tai.plmn_id, pLMNidentity->buf, sizeof(tai.plmn_id));
memcpy(&tai.tac, tAC->buf, sizeof(tai.tac));
tai.tac = be16toh(tai.tac);
/* Check TAI */
served_tai_index = mme_find_served_tai(&tai);
if (served_tai_index < 0) {
ogs_error("Cannot find Served TAI[PLMN_ID:%06x,TAC:%d]",
ogs_plmn_id_hexdump(&tai.plmn_id), tai.tac);
r = s1ap_send_error_indication(enb, MME_UE_S1AP_ID, ENB_UE_S1AP_ID,
S1AP_Cause_PR_protocol,
S1AP_CauseProtocol_message_not_compatible_with_receiver_state);
ogs_expect(r == OGS_OK);
ogs_assert(r != OGS_ERROR);
return;
}
ogs_debug(" SERVED_TAI_INDEX[%d]", served_tai_index);
if (!E_RABToBeSwitchedDLList) {
ogs_error("No E_RABToBeSwitchedDLList");
r = s1ap_send_error_indication(enb, MME_UE_S1AP_ID, ENB_UE_S1AP_ID,